First of all, thanks for going through my config in so much detail, it's really helpful.
Some context before answering your questions: my ISP (providing me with internet, voip and iptv) only support their own routers, so when you need/want to use a different device you're pretty much on your own. When they change or update something, there's a local community where we share configurations and hacks to try and keep up with those changes, so it's very likely that there're some things in my config that make no sense anymore (maybe they were in the past, and I just forgot to remove them when something new came up).
Anyway, let's go.
(1) Why are you using this??
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
use-ip-firewall-for-vlan=yes
I honestly don't know, lol. Can't remember why or when I decided that I needed those. I've just set everything to "no".
(2) Recommend this be set to NONE, as it has unknown usage amongst folks here and has caused issues in the past.
/interface detect-internet
set detect-interface-list=all
Done, thanks.
(3) Why does your ether1 have an IP address ???
add address=192.168.100.10/24 interface=ether1-gateway network=192.168.100.0
I thought it was a pppoe dynamic setting using vlan6, aka there should be no address for ether1-gateway!!
And you're probably right. Again, I don't know why that's there. I've just removed it.
(4) Why does your IPTV have an IP address on vlan2 on ether1. Was this assigned to you buy the ISP provider ??
(If so I would have thought just having the vlan would be good enough to tie into whatever setup boxes you have??
Okay I see a weird DHCP setting so assume these are requirements the ISP passed on to you for the router?
I'm not sure what you mean here... I only see 1 IP address for the IPTV ("/ip add address=10.10.10.10/10 comment=iptv interface=vlan2 network=10.10.0.0"). This is, as you figured out, assigned to each customer by the ISP, as well as the "weird DHCP setting"
(5) who is providing VOIP over the ether1 port on vlan3, your ISP provider???
Yes.
(6) Did you insert these settings for DHCP client?? There should be none as this is all handled by the pppoe settings part of the config.
Okay later on I see somehow that works for the VOIP client settings from your ISP provider ???
/ip dhcp-client
add add-default-route=no interface=vlan3 use-peer-ntp=no
Yes, I inserted that. It's apparently required by the ISP configuration (in the local community I told you about, this setting is on the "standard" configuration for this provider, so I've never investigated it too much).
(7) Very confusing that you have an IPTV network coming on on ether1 from some unknown provider, it has an address of 10.10.10 etc. and yet
you have some weird dhcp-server network setting (see below) and even worse a lease to an IPTV machine on the main subnet ???
ip dhcp-server network
add address=192.168.50.200/29 comment="iptv stb" dhcp-option=\
iptv_option dns-server=37.37.37.37 gateway=192.168.50.1 netmask=24
Clearly it all must work for you but I am trying to understand how IPTV comes into the router and reaches the main subnet and what happens next.
Who uses this IPTV etc........
Yes, the iptv set-top-box configuration is complicated. It's the most difficult item to configure with this particular ISP. Many people just let the original router (in bridge mode) handle the iptv and voip services to avoid the mess. This dhcp-server config is needed for the STB to (i) use the weird option we talked about before and (ii) use that particular DNS server, because it just doesn't work with any other.
(8) Which machine is the server you are talking about, machine1 or machine 2..............
The server is identified by... "server".
For example: "/ip add address=192.168.50.2 comment=server mac-address=xxxxxxxxxxxxx server=dhcp_main". Yeah, maybe not the best name to read a configuration with "dns servers" and "dhcp servers", etc. Maybe I should change the name to "my_web_server" or something like that to make the config more readable.
(9) As far as firewall rules go, lets stick with defaults and whatever funky you need for VOIP,. IPTV etc. and lets dispense with the extra (garbage).
OK, I've followed your indications, **except** the last one
"add action=drop chain=forward comment="drop all else"
. As soon as I enable that filter 2 things happen:
1. The iptv stops working
2. The clients using the WG client (machine1, machine2) can't reach the Internet (only the LAN)
Note1: What I dont get is this rule. It seems pretty open ended but assuming its coming from the ISP??? If so why the source address as it is??? How does this work?
add action=accept chain=input comment=\
"accept vlan3 traffic for VoIP" in-interface=vlan3 src-address=\
10.0.0.0/8
You're right, it's probably some garbage left from some old configuration. I've deleted it.
Note2: Why is this forward chain rule referring to vlan2 ?? If you have users coming in from the WAN side they would be coming in your ISP internet traffic which is interface name pppoe-out1 or vlan6 ??? AND NOT VLAN2 that is your IPTV connection from the ISP ????
Okay after looking at the rule I see its for multicast, man this is so weird.......
add action=drop chain=forward comment=\
"drop all new unicast traffic from vlan2 Iptv not DSTNATed" \
connection-nat-state=!dstnat connection-state=new dst-address-type=\
unicast in-interface=vlan2
a much cleaner rule is the following
add action=accept chain=forward comment="allow port forwarding of IPTV traffic" \
connection-nat-state=dstnat dst-address-type=unicast in-interface=vlan2
Again, that forward chain rule is in the local community "recommended configuration". To be honest, I don't quite understand it either. It looks pretty useless, since it gets absolutely NO traffic (both the byte and packet counter always are at ZERO).
I've tried to remove that rule and use yours
add action=accept chain=forward comment="allow port forwarding of IPTV traffic" \
connection-nat-state=dstnat dst-address-type=unicast in-interface=vlan2
but I don't see any traffic either.
So even without my rule and without yours everything seems to work ok... (which sounds logical since none of them was seeing any traffic).
(10) I have not seen mangling used for hairpin nat rules.............. are you SURE its necessary??
It seems to be, since if I disable it I can't access my webs from the LAN (the webs are hosted on my server at 192.168.50.2). I don't know if there's a better way, this just works for me
(11) You have many sourcenat rule heading out the ethernet..................... PPPOE makes sense.
I suppose you need one for vlan2 (IPTV) and VOIP vlan3?? IF so you should get rid of the extra one (yellow).
The rules for vlan2 & vlan3 are, again, what the local community recommends for this ISP. I've just tried to disable them and everything seems to work OK (although in this case, the counters DID register some traffic... not a lot, but it was not zero). I don't know, like I said the iptv STB is a nightmare to configure, so maybe I leave the vlan2 rule enabled just in case, maybe it's just needed for firmware updates, or some bullshit with the ISP from time to time.
I'm also following your advice about making interface lists. I hadn't used them ever but they look useful to simplify configs.
Thanks again for all your help!