Thu Jan 19, 2023 9:49 pm
Why, a huge waste of time.
All you need is..
/ip firewall filter
{Input Chain}
(default rules)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
(user rules - what traffic should be allowed)
add action=accept chain=input in-interface-list=LAN *****
add action=drop chain=input comment="drop all else"
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(user rules - what traffic should be allowed)
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
***** Typically, one has a single trusted subnet, (not used for guests or media or iot etc......) but the rule above allows all subnet traffic for initial connectivity for router services and to config the router. Better to split router services for everyone and ONLY the admin to config the router! Thus the rule should be modified further three rules:
add action=accept chain=forward src-address-list=Authorized
add action=accept chain=forward dst-port=53,123 protocol=tcp in-interface-list=LAN (drop port 123 if NTP not a service provided)
add action=accept chain=forward dst-port=53 protocol=udp in-interface-list=LAN
Where Authorized is a firewall address list comprised of (nominally) the following:
add address=IPofadmin1 list=Authorized ( desktop )
add address=IPofadmin2 list=Authorized ( laptop wifi )
add address=IPofadmin3 list=Authorized ( Ipad/iphone wifi )
add address=IPofadmin4 list=Authorized ( Road Warrior IP through wireguard connection - laptop )
add address=IPofadmin5 list=Authorized ( Road Warrior IP through wireguard connection - Ipad/iphone )
etc.....
Note: Assumes addresses behind router are set as fixed static leases.
++++++++++++++++++++++++++++++++++++++++
Thus one does not really have to care or bother with what or who is attempting to ping router.
All traffic is dropped by both input and forward chains. The only allowed traffic is that you have stated (user allowed rules)