I've got a hAP ax3 and used quick set to get my initial "simple" config working with VLAN1 using 10.0.0.0/24.
From there I added VLAN10 and a guest WiFi network running on 10.0.10.0/24. Then I added firewall rules to drop VLAN10 traffic not destined for WAN, unless it's DNS queries to the router.
The setup works without issue, but I want to ensure I haven't done something stupid and opened myself up to bad actors. That or if there's a simpler way to do things.
I deleted the CAPsMAN rule that defconf creates as I don't use it, and I've disabled the ipsec rules for similar reasons. Figured less is better in this situation.
Code: Select all
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=input comment="allow dns queries from untrusted vlan" \
dst-address=10.0.10.1 dst-port=53 protocol=tcp src-address=10.0.10.0/24
add action=accept chain=input dst-address=10.0.10.1 dst-port=53 protocol=udp \
src-address=10.0.10.0/24
add action=drop chain=input comment=\
"drop all other traffic to router from untrusted vlan" dst-address=\
10.0.10.1 src-address=10.0.10.0/24
add action=drop chain=forward comment="isolate untrusted vlan subnet" \
out-interface-list=!WAN src-address=10.0.10.0/24
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN