I am happy, but I have few Q for more knowledgable ones.
I usually put ether1-WAN in INTERNET bridge and then filter that bridge in rules. The reason is simply not to get confused. - Any cons of doing it that way? I presume that delays filtering a bit (first port, than bridge), but I suppose there is no big performance impact. Security?
Here is the config:
Code: Select all
/ip firewall address-list
add address=10.10.10.2-10.10.10.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=10.10.10.0/24 list=local_ranges
add address=10.10.20.0/24 list=local_ranges
add address=10.10.30.0/24 list=local_ranges
/ip firewall filter
add action=accept chain=input comment="allow established, related" connection-state=established,related
add action=accept chain=input comment="DNS UDP" dst-port=53 in-interface=!INTERNET protocol=udp
add action=accept chain=input comment="DNS TCP" dst-port=53 in-interface=!INTERNET protocol=tcp
add action=accept chain=input comment="alow icmp" protocol=icmp
add action=accept chain=input comment="allowed to router" src-address-list=allowed_to_router
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=accept chain=forward comment="Accept Port forwards if configured" connection-nat-state=dstnat disabled=yes
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log-prefix=invalid
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface-list=LAN log=yes log-prefix=!public_from_LAN out-interface-list=\
!LAN
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface=INTERNET log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=INTERNET log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface-list=LAN log=yes log-prefix=LAN_!LAN src-address-list=!local_ranges
add action=reject chain=forward comment="Block WiFi to LOCAL LAN traffic" dst-address=10.10.10.0/24 reject-with=icmp-net-prohibited src-address=10.10.20.0/24
add action=reject chain=forward comment="Block WiFi to VIDEOSURVEILANCE traffic" dst-address=10.10.30.0/24 reject-with=icmp-net-prohibited src-address=10.10.20.0/24
add action=reject chain=forward comment="Block VIDEOSURVEILANCE to LOCAL LAN traffic" dst-address=10.10.10.0/24 reject-with=icmp-net-prohibited src-address=10.10.30.0/24
add action=reject chain=forward comment="Block VIDEOSURVEILANCE to WIFI traffic" dst-address=10.10.20.0/24 reject-with=icmp-net-prohibited src-address=10.10.30.0/24
add action=passthrough chain=forward
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=INTERNET
add action=accept chain=srcnat comment="defconf: accept all that matches IPSec policy" disabled=yes ipsec-policy=out,ipsec
add action=dst-nat chain=dstnat comment="Sample Port Forward" disabled=yes dst-port=123 in-interface=INTERNET protocol=tcp to-addresses=1.2.3.4 to-ports=123
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes