Fri Feb 10, 2023 6:34 pm
There is nothing special about the WAN list, be it ether1, vlan7, or the pppoe-name provided.
If not sure put all three on an interface list WAN.
The point being WAN is WAN, its a public facing connection, calling it untrusted is not necessary.
What is more important is declaring whats untrusted ON the INSIDE of the router such as guest networks for wifi, IOT devices, MEDIA devices etc...
Those should be put on vlans. In this way all vlans are segrated from each other (and assumed not trusted). Thus all subnets are blocked from each other at layer2, and one needs to do the same on the firewall rules to block at layer 3. One uses a trusted interface list, to identify what is trusted, the rest are not ............... simple!
vlan10-home
vlan20-guest wifi
vlan30-iot devices
vlan40-media devices
interface list
add name=WAN
add name=LAN
add name=MGMT
interface list members
add interface=pppoe-name list=WAN
add interface=vlan7 list=WAN
add interface=ether1 list=WAN
add vlan10-home list=LAN
add vlan20-guest list=LAN
add vlan30-iot list=LAN
add vlan40-media list=LAN
add vlan10-home list=MGMT
add interface=wireguard1 list=MGMT
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
Firewall rules..... Only the admin on the trusted interface needs access to the router...........
(input chain)
add action=accept chain=input comment="Allow ADMIN to Router" in-interface-list=MGMT src-address-list=AdminAccess
add action=accept chain=input comment="Allow LAN DNS queries - TCP" connection-state=new dst-port=53,123 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop All Else"
where one has a firewall address list of statically set "fixed" LANIP leases called AdminAccess:
add ip-address=IP_Admin_desktop list=AdminAccess
add ip-address=IP_Admin_laptop-wired list=AdminAccess
add ip-address=IP_Admin_laptop-wifi list=AdminAccess
add ip-address=IP_Admin_iphone/ipad-wifi list=AdminAccess
add ip-address=IP_Admin_laptop-remote=AdminAccess { wireguard }
add ip-address=IP_Admin_iphone/ipad-remote list=AdminAccess { wireguard }
Firewall rules......... All need access to internet, no one needs access to other vlans......
(forward chain)
add action=accept chain=forward comment="allow VLANS to WAN " in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Port Forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment=" - DROP ALL other FORWARD traffic"
With these forward chain rules all vlans are blocked from each other..............
If you need to punch holes to a shared device, or want to allow admin to access other vlans, easy to put applicable accept rules prior to the last drop rule.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Basically the rule of thumb is that if you have two or more subnets that require firewall rules, ( be it originating traffic, or receiving traffic) easiest to create a specific interface to combine them.