I recently had issues with a firmware upgrade to my home router, a hAP ac^2 (R1). After the second attempt I discovered my DHCP reservations were allmost gone, and the next day I discovered the firewall list was empty, not even the "dummy" counter remained. This has prompted me to get my secondary router up and running, an RBG750r3 (R2). Because I had to re-create the firewall on the hAP, I was a little more focused on creating the new one, and to that end I followed the Mikrotik doc on creating an advanced firewall https://help.mikrotik.com/docs/display/ ... d+Firewall. I have followed that guide to the letter, only changing the entries and lists to match my particular environment (LAN IP addresses etc.). I finally got that up and running today and had it running side-by-side with R1 which has only a basic firewall. I was monitoring the firewalls to see what the differences in traffic look like and right off the bat, one thing stood out; the new router has what I would consider a ton of traffic, (20-30 p/s) that was being caught and dropped by the 3rd rule of:
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP after RAW" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
Whereas R1 only had the occasional hit (0-3 p/s intermittently).
My R1 firewall config up to that rule is:
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="PPTP VPN Incoming" disabled=yes \
dst-port=1723 log=yes log-prefix=PPTP-VPN protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
On both routers my LAN interface list contains only the ethernet port that is connected to my LAN and the bridge interface.
Can anyone see why R2 would see so much more traffic on that rule than R1? Both are connected directly to my modem and both have an IP directly from my ISP.
Sorry for the long-windedness of the post but I'm trying to include all pertinent information. At this point I'm pretty sure my R2 firewall is sound but I'm wondering if there's something in my R1 config thats missing these packets. I'm happy to post the entire firewall config of both routers if that helps.
Thanks for any insight anyone can provide.