I opened a port to receive some external connections.
But the request is received via pppoe-wan-cnpj and the response is sent via pppoe-wan-cpf, this leads to a problem.
When I disable the pppoe-wan-cpf everything works fine.
I believe this is a route problem.
I was not able to change the route settings from the PPPOE connection.
Could you guys help a hopeless noob ?
Regards.
Code: Select all
# sep/25/2022 22:40:55 by RouterOS 7.5
# software id = XXXX-XXXX
#
# model = RB5009UG+S+
# serial number = XXXXXXXXXXXX
/interface bridge
add name=bridge-lan
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1598 name=ether1-lan
set [ find default-name=ether2 ] l2mtu=1598 name=ether2-lan
set [ find default-name=ether3 ] l2mtu=1598 name=ether3-lan
set [ find default-name=ether4 ] l2mtu=1598 name=ether4-lan
set [ find default-name=ether5 ] l2mtu=1598
set [ find default-name=ether6 ] l2mtu=1598
set [ find default-name=ether7 ] l2mtu=1598 name=ether7-wan-cpf
set [ find default-name=ether8 ] l2mtu=1598 name=ether8-wan-cnpj
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether8-wan-cnpj name=pppoe-wan-cnpj user=xxx@xxx
add add-default-route=yes disabled=no interface=ether7-wan-cpf name=pppoe-wan-cpf user=xxx@xxx
/interface list
add name=listBridge
add name=listPppoe
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.0.41-192.168.0.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge-lan name=dhcp1
/routing table
add disabled=no fib name=routing-table-wan-cpf
add disabled=no fib name=routing-table-wan-cnpj
/interface bridge port
add bridge=bridge-lan ingress-filtering=no interface=ether1-lan
add bridge=bridge-lan ingress-filtering=no interface=ether2-lan
add bridge=bridge-lan ingress-filtering=no interface=ether3-lan
add bridge=bridge-lan ingress-filtering=no interface=ether4-lan
/ip neighbor discovery-settings
set discover-interface-list=listBridge
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface list member
add interface=bridge-lan list=listBridge
add interface=pppoe-wan-cnpj list=listPppoe
add interface=pppoe-wan-cpf list=listPppoe
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.0.1/24 interface=bridge-lan network=192.168.0.0
/ip dhcp-server lease
/// I REMOVED THIS INFO ///
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment="accept established, related" connection-state=established,related log-prefix="[FILTER #1]"
add action=accept chain=input comment="accepts everything from the internal lan" in-interface-list=listBridge log-prefix="[FILTER #2]"
add action=drop chain=input comment="drop invalid" connection-state=invalid log-prefix="[FILTER #3]"
add action=accept chain=input comment="allow ICMP" in-interface-list=listPppoe log-prefix="[FILTER #4]" protocol=icmp
add action=add-src-to-address-list address-list=PORTSCAN address-list-timeout=5w5d chain=input comment="portscan detect" connection-nat-state="" in-interface-list=listPppoe log=yes log-prefix="[FILTER #5]" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=PORTSCAN address-list-timeout=5w5d chain=input comment="portscan detect v2" dst-port=20-23,3389,53,1723,3306,8291 in-interface-list=listPppoe log=yes log-prefix="[FILTER #6]" protocol=tcp
add action=add-src-to-address-list address-list=PORTSCAN address-list-timeout=5w5d chain=input comment="portscan detect v3, bloqueia tudo menos x portas" disabled=yes dst-port=!80,443 in-interface-list=listPppoe log=yes log-prefix="[FILTER #7]" protocol=tcp
add action=drop chain=input comment="drop everything else" log-prefix="[FILTER #8]"
add action=fasttrack-connection chain=forward comment="fast-track for established, related" connection-state=established,related hw-offload=yes
add action=fasttrack-connection chain=forward comment="fast-track dns tcp" dst-port=53 hw-offload=yes protocol=tcp
add action=fasttrack-connection chain=forward comment="fast-track dns udp" dst-port=53 hw-offload=yes protocol=udp
add action=accept chain=forward comment="accept established, related" connection-state=established,related log=yes log-prefix="[FILTER #12]"
add action=drop chain=forward comment="drop invalid" connection-state=invalid log=yes log-prefix="[FILTER #13]"
add action=drop chain=forward comment="drop access to clients behind NAT from WAN" connection-nat-state=!dstnat connection-state=new in-interface-list=listPppoe log=yes log-prefix="[FILTER #14]"
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=pppoe-wan-cpf log=yes log-prefix="[MANGLE #3]" new-connection-mark=mark-conn-wan-cpf passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=pppoe-wan-cnpj log=yes log-prefix="[MANGLE #4]" new-connection-mark=mark-conn-wan-cnpj passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=mark-conn-wan-cpf log=yes log-prefix="[MANGLE #5]" new-routing-mark=routing-table-wan-cpf passthrough=no src-address=192.168.0.0/24
add action=mark-routing chain=prerouting connection-mark=mark-conn-wan-cnpj log=yes log-prefix="[MANGLE #6]" new-routing-mark=routing-table-wan-cnpj passthrough=no src-address=192.168.0.0/24
add action=accept chain=prerouting in-interface-list=listPppoe log-prefix="[MANGLE #7]"
/ip firewall nat
add action=masquerade chain=srcnat log-prefix="[NAT #0]" out-interface-list=listPppoe src-address=192.168.0.0/24
add action=dst-nat chain=dstnat comment="Consumer APPs" dst-port=80 in-interface-list=listPppoe log=yes log-prefix="[NAT #1]" protocol=tcp to-addresses=192.168.0.21 to-ports=8080
/ip firewall raw
add action=drop chain=prerouting comment="protect ddos attack against dns, dns only works for internal requests" dst-port=53 in-interface-list=listPppoe protocol=tcp
add action=drop chain=prerouting comment="protect ddos attack against dns, dns only works for internal requests" dst-port=53 in-interface-list=listPppoe protocol=udp
add action=drop chain=prerouting comment="portscan block" src-address-list=PORTSCAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.0.10/32,192.168.0.11/32
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/routing rule
add action=lookup-only-in-table disabled=no routing-mark=routing-table-wan-cpf table=routing-table-wan-cpf
add action=lookup-only-in-table disabled=no routing-mark=routing-table-wan-cnpj table=routing-table-wan-cnpj
/system clock
set time-zone-name=America/Sao_Paulo
/system package update
set channel=long-term
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=listBridge