Aside: Grateful that such resources exist for newcomers.
My question relates to this element of the guide
(2) RAW RULE Inbound/Destination Address - Designed to Stop Cold, any incoming traffic (passing inbound on the WAN) whose destination-address is different from the public IPs on the router. Thus we make use of a firewall address list to identify the available public IPs at the router.
After adding the RAW rules all seemed fine until one day I restarted the router and found I had no internet connection. I had been assigned a new dynamic IP and I believe the address-list was unable to resolve my new external address as the raw rules were blocking traffic back into the router, so I had a circular problem which I could only resolve by temporarily blocking the rule which denied traffic from the WAN.
Question: Am I right in thinking that this section of the guide is problematic for people with dynamic IPs?
These are the lines that I believe are relevant, noting that in the address list I had something like home.mydomain.com.
Code: Select all
/ip firewall address-list
{...}
add list=expected-dst-address-to-my-ISP address=my.public.wan.ip
/ip firewall raw
{...}
add action=drop chain=prerouting in-interface-list=WAN dst-address-list=!expected-dst-address-to-my-ISP comment="drop non-legit dst-addresses hitting WAN side"