Thu Feb 23, 2023 8:15 pm
Dont see a clear issue on the MT so suspect the issue is on the other device settings TPlink?
Step 1. Remove this rule not required in 99% of cases...... Use normal firewall rules.
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
Step 2. Since there are no differences between any of your trunk ports, they all get the same tagged vlans you can simplify.
/interface bridge vlan
add bridge=BR1 tagged=\
BR1,ether2-Trunk,ether3-Trunk,ether4-Trunk,ether5-Trunk,sfp1 vlan-ids=120
add bridge=BR1 tagged=\
BR1,ether2-Trunk,ether3-Trunk,ether4-Trunk,ether5-Trunk,sfp1 vlan-ids=110
add bridge=BR1 tagged=\
BR1,ether2-Trunk,ether3-Trunk,ether4-Trunk,ether5-Trunk,sfp1 vlan-ids=100
/interface bridge vlan
add bridge=BR1 tagged=\
BR1,ether2-Trunk,ether3-Trunk,ether4-Trunk,ether5-Trunk,sfp1 vlan-ids=100,110,120
Step3. Your firewall rules need a smidge of work........ mostly in content. but I commend you on not having any youtube bloatware, a refreshing change.
The only major change I would make is not letting EVERYONE have full access TO the router ( which is what the input chain is for )
Thus the idea is you only give the ADMIN full access, while everyone else gets only the router services they need such as DNS etc........
Thus need to first create a firewall address list.
/ip firewall address list { based on going into dhcp leases and making mac to IP addresses STATIC/fixed }
add ip-address=Admin-Desktop_IP list=Authorized
add ip-address=Admin-Laptop_IP list=Authorized
add ip-address=Admin-IPad/IPhone_IP list=Authorized
add ip-address=Admin-Remote_IP list=Authorized ( if setup up wireguard so can remotely config router while away )
Fixed.
/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=VLAN src-address-list=Authorized
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \ {and NTP *** services if required etc}
dst-port=53,123*** in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment="drop all else" { Add this last otherwise you may lock yourself out}
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="ADGuard Access to Everyone" dst-address=10.0.0.10 in-interface-list=VLAN
add action=accept chain=forward comment="allow internet traffic" in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Billy-PC Access to Everyone" dst-address=10.0.0.100 in-interface-list=VLAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat { disable or remove if not required }
add action=drop chain=forward
Step4. I do have a question, is ADGUARD something setup on 10.0.0.10 which users should use for DNS services??
If so, there may be a better way.......................
First thing is you will need to create another firewall address list called EXCLUDED. This must contain the adguard itself as noted previously you dont want it to point at itself............ plus if you wanted any other users exempted or for example created another vlan and wanted the whole vlan exempted.................
/ip firewall address list
add ip-address=10.0.0.10 list=EXCLUDED
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1 gateway=10.0.0.1 ( one should not point the Adguard at itself so the DNS server must remain to the interface }
add address=10.0.10.0/24 dns-server=10.0.0.10 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=10.0.0.10 gateway=10.0.20.1
/Ip firewall filter ( GOOD already done)
add action=accept chain=forward comment="ADGuard Access to Everyone" dst-address=10.0.0.10 in-interface-list=VLAN
Destination NAT rules to aggressively push users to Adguard.........( and to capture users within the same subnet/vlan as adguard )
add chain=dstnat action=dst-nat in-interface-list=VLAN src-address-list=!EXCLUDED dst-port=53 protocol=tcp to-addresses=10.0.0.10
add chain=dstnat action=dst-nat in-interface-list=VLAN src-address-list=!EXCLUDED dst-port=53 protocol=udp to-addresses=10.0.0.10
Finally HAIRPIN NAT SourceNAT Rule for the users within the same subnet/vlan as Adguard for their use of ADGUARD to work properly.
add chain=srcnat action=masquerade dst-address=10.0.0.0/24 src-address=10.0.0.0/24