Thu Apr 20, 2023 7:11 pm
Yes you need a major cleanup.
(1) There should be no reason for this mess!
/ip pool
add name=pool1 ranges=192.168.2.10-192.168.2.254
add name=dhcp_pool2 ranges=192.168.2.2-192.168.2.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp ranges=192.168.2.201-192.168.2.251
(2) expectations here..
/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.1 dns-server=192.168.2.1
/ip dns
set allow-remote-requests=yes server=1.1.1.1,8.8.8.8
(3) Not sure of the purpose of these but you can get rid of the first one......
What is the second one for??
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan
add address=159.148.172.226 name=upgrade.mikrotik.com ?????
(4) Your firewall rules are disorganized, put all the input chain rules together and all the forward chain rules together, much easier to read, spot errors etc...
For examples duplicates would be easily spotted!!
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" \
jump-target=kid-control
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
"[Custom] allow connections from VPN network" disabled=yes src-address=\
192.168.89.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN bre\
aks router update and Roku issues" connection-nat-state="" \
connection-state="" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=forward dst-port=53 protocol=udp src-address=\
192.168.2.201
add action=accept chain=forward dst-port=53 protocol=tcp src-address=\
192.168.2.201
(5) REPLACE this rule.
add action=drop chain=input comment="defconf: drop all not coming from LAN bre\
aks router update and Roku issues" connection-nat-state="" \
connection-state="" in-interface-list=!LAN
And make it simpler
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
(6) what is the purpose of these rules............ I would remove them......
add action=accept chain=forward dst-port=53 protocol=udp src-address=\
192.168.2.201
add action=accept chain=forward dst-port=53 protocol=tcp src-address=\
192.168.2.201
(7) What is the purpose of this rule?? Seems very unsafe>..........
/ip service
set www address=192.168.2.0/24