Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Trying to allow only one port using In and Out interfaces  [SOLVED]

Post Reply
 
User avatar
atomicduck
Member Candidate
Member Candidate
Topic Author
Posts: 244
Joined: Fri Oct 02, 2020 1:42 pm

Trying to allow only one port using In and Out interfaces

Tue Oct 05, 2021 3:41 pm

Hi, I am trying to block all internet traffic from part of the lan (WiFi) using interface except for custom RDP port, but I am getting weird results.

Specifically, I have:
blocked WiFi users communicating with local lan, allowed port, and then blocked internet out and internet in. Unfortunately, this allow rule doesn't get triggered at all, unless I disable the rule _BELOW_ it which disables the rest of outgoing packets to the internet. ??

Am I missing something or interfaces are not thought to be used like this?

The "interface" is Bridge with added switch port in it, and for WiFi lan I am using Capsman forwarding with datapatch to separate traffic.

The same could be acchieved with subnets, but I don't understand why this wouldn't work, or why my first allow rule doesn't get triggered at all? - RDP only requires one port and established related are allowed on the top.

Here is FW config:
Code: Select all
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=reject chain=forward comment=WAREHOUSE in-interface=WAREHOUSE out-interface=INTERNAL reject-with=icmp-admin-prohibited
add action=accept chain=forward dst-port=35521 in-interface=WAREHOUSE out-interface=INTERNET protocol=tcp
add action=reject chain=forward in-interface=WAREHOUSE out-interface=INTERNET reject-with=icmp-admin-prohibited
add action=drop chain=forward in-interface=INTERNET out-interface=WAREHOUSE
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=INTERNET
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19318
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Trying to allow only one port using In and Out interfaces  [SOLVED]

Tue Oct 05, 2021 5:54 pm

Try a different approach with the forward chain amd that is change the concept to what you want to allow!!

keep the 5 first Default rules
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec {disable if not using vpn}
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec {disable if not using vpn)
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
+++++++++++++++++++++++++++++
d. drop all else (add chain=forward action=drop comment="drop all other traffic"

Now where the ++++++++++ symbols are located in the order put the traffic you want to allow at L3.
Keep in mind that all LAN to LAN, LAN to WAN and WAN to LAN is dropped by this last rule so you only need to focus on traffic that is allowed.

Typically this could be what devices should get internet.
Also a shared printer amongst multiple subnets etc...
Top
 
User avatar
atomicduck
Member Candidate
Member Candidate
Topic Author
Posts: 244
Joined: Fri Oct 02, 2020 1:42 pm

Re: Trying to allow only one port using In and Out interfaces

Tue Oct 05, 2021 7:06 pm

...

I feel weird because this is the exact opposite of what I have been doing for years now... the rules are completely inverted. :-)

It is beautiful, but TBH I am almost afraid not to break anything.

Before I did blocks specifically:
Code: Select all
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=53 in-interface=!INTERNET protocol=udp
add action=accept chain=input dst-port=53 in-interface=!INTERNET protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=INVALID
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=reject chain=forward comment="SKOLSKA KNJIGA" in-interface=WIFI out-interface=INTERNAL reject-with=icmp-admin-prohibited
add action=reject chain=forward in-interface=WIFI out-interface=WAREHOUSE reject-with=icmp-admin-prohibited
add action=reject chain=forward in-interface=WIFI out-interface=URED reject-with=icmp-admin-prohibited
add action=reject chain=forward comment=URED in-interface=URED out-interface=INTERNAL reject-with=icmp-admin-prohibited
add action=reject chain=forward comment=WAREHOUSE in-interface=WAREHOUSE out-interface=INTERNAL reject-with=icmp-admin-prohibited
add action=reject chain=forward in-interface=WAREHOUSE out-interface=WIFI reject-with=icmp-admin-prohibited
add action=reject chain=forward in-interface=WAREHOUSE out-interface=URED reject-with=icmp-admin-prohibited
add action=accept chain=forward dst-port=80 in-interface=WAREHOUSE out-interface=INTERNET protocol=tcp
add action=accept chain=forward dst-port=35521 in-interface=WAREHOUSE out-interface=INTERNET protocol=tcp
add action=reject chain=forward in-interface=WAREHOUSE out-interface=INTERNET reject-with=icmp-admin-prohibited

And this is what I have now:
Code: Select all
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=INVALID
add action=accept chain=input comment="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX PUT ALLOW RULES BELOW XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" dst-port=53 in-interface=\
    !INTERNET protocol=udp
add action=accept chain=input dst-port=53 in-interface=!INTERNET protocol=tcp
add action=accept chain=forward in-interface=INTERNAL out-interface=INTERNET
add action=accept chain=forward in-interface=WIFI out-interface=INTERNET
add action=accept chain=forward dst-port=80,443 in-interface=WAREHOUSE out-interface=INTERNET protocol=tcp
add action=accept chain=forward dst-port=35521 in-interface=WAREHOUSE out-interface=INTERNET protocol=tcp
add action=drop chain=forward comment="drop all other traffic" connection-nat-state=!dstnat connection-state=new

I suppose what I did above is what you had in mind? (Thanks a lot for help, you just changed the way I think about firewall.)
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19318
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Trying to allow only one port using In and Out interfaces

Tue Oct 05, 2021 7:32 pm

Lets have a look!!
See if anything is out of place - RED
Improvements possible... GREEN
MIssed the boat a bit...... Blue
unknown purpose so probably okay but explanation of requirements would ensure such assumptions -

Also since you havent posted the complete config I can only guess at some things.........

/ip firewall filter
{INPUT CHAIN}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
{FORWARD CHAIN}
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=INVALID
add action=accept chain=input comment="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX PUT ALLOW RULES BELOW XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" dst-port=53 in-interface=\
!INTERNET protocol=udp
add action=accept chain=input dst-port=53 in-interface=!INTERNET protocol=tcp
add action=accept chain=forward in-interface=INTERNAL out-interface=INTERNET
add action=accept chain=forward in-interface=WIFI out-interface=INTERNET
add action=accept chain=forward dst-port=80,443 in-interface=WAREHOUSE out-interface=INTERNET protocol=tcp
add action=accept chain=forward dst-port=35521 in-interface=WAREHOUSE out-interface=INTERNET protocol=tcp
add action=drop chain=forward comment="drop all other traffic" connection-nat-state=!dstnat connection-state=new

Next post will be recommendations........
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19318
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Trying to allow only one port using In and Out interfaces

Tue Oct 05, 2021 7:40 pm

.Will address input chain next..........

/ip firewall filter
{FORWARD CHAIN}
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=INVALID
add action=accept chain=forward in-interface-list=AllowInternet out-interface=INTERNET
add action=accept chain=forward dst-port=80,443 in-interface=WAREHOUSE out-interface=INTERNET protocol=tcp ????
add action=accept chain=forward dst-port=35521 in-interface=WAREHOUSE out-interface=INTERNET protocol=tcp ????
add action=drop chain=forward comment="drop all other traffic"

Where
/interface list
add interface=AllowInternet

/interface list members
add interface=INTERNAL list=AllowInternet
add interfac=WIFI list=AllowInternet


???? - since I dont know the purpose hard to say but looks okay.

One question: Do you have any port forwarding rules.......??
If so you will need to add one rule just before the drop all rule.
add action=accept chain=forward comment="allow port forwarding" in-interface-list=WAN \
connection-nat-state=dstnat connection-state=new
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19318
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Trying to allow only one port using In and Out interfaces

Tue Oct 05, 2021 7:47 pm

Your input chain rule was flawed from the beginning, it was missing the default last rule in BLUE and you added two other rules that were needed due to missing the default rules but they fail to cover any other WAN to Router traffic that would have been blocked by the proper default rule.

{Input Chain}

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=53 in-interface=!INTERNET protocol=udp
add action=accept chain=input dst-port=53 in-interface=!INTERNET protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN

The default rule in blue, basically states drop all traffic not coming from the LAN.............. No longer need the port 53 rules.


You may wish to consider better security in rules on the input chain but only if you are up to it and understand all the rules and changes we have made so far.
If you dont understand what the rules are doing then one shouldnt progress to rapidly in changing them.
Top
 
User avatar
atomicduck
Member Candidate
Member Candidate
Topic Author
Posts: 244
Joined: Fri Oct 02, 2020 1:42 pm

Re: Trying to allow only one port using In and Out interfaces

Tue Oct 05, 2021 8:00 pm

Lets have a look!!
See if anything is out of place - RED
Improvements possible... GREEN
MIssed the boat a bit...... Blue
unknown purpose so probably okay but explanation of requirements would ensure such assumptions -

Also since you havent posted the complete config I can only guess at some things.........

/ip firewall filter
{INPUT CHAIN}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
{FORWARD CHAIN}
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=INVALID
add action=accept chain=input comment="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX PUT ALLOW RULES BELOW XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" dst-port=53 in-interface=\
!INTERNET protocol=udp
add action=accept chain=input dst-port=53 in-interface=!INTERNET protocol=tcp
add action=accept chain=forward in-interface=INTERNAL out-interface=INTERNET
add action=accept chain=forward in-interface=WIFI out-interface=INTERNET
add action=accept chain=forward dst-port=80,443 in-interface=WAREHOUSE out-interface=INTERNET protocol=tcp
add action=accept chain=forward dst-port=35521 in-interface=WAREHOUSE out-interface=INTERNET protocol=tcp
add action=drop chain=forward comment="drop all other traffic" connection-nat-state=!dstnat connection-state=new

Next post will be recommendations........

I will reply by colored points:

1. two chain inputs are for DNS in, but it seems I don't need those... :-) // REMOVED
2. two interfaces you have marked are two bridges: one is local LAN where router and CAPs reside, and the other one is bridge for WiFi network. I use those to allow them to internet, because that deny below blocks internet access completely
3. Orange stuff is specific allows for the WAREHOUSE wifi to have access for 80/443 for testing and that specific port for RDS
4. FIXED!
Top
 
User avatar
atomicduck
Member Candidate
Member Candidate
Topic Author
Posts: 244
Joined: Fri Oct 02, 2020 1:42 pm

Re: Trying to allow only one port using In and Out interfaces

Tue Oct 05, 2021 8:03 pm

.Will address input chain next..........

/ip firewall filter
{FORWARD CHAIN}
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=INVALID
add action=accept chain=forward in-interface-list=AllowInternet out-interface=INTERNET
add action=accept chain=forward dst-port=80,443 in-interface=WAREHOUSE out-interface=INTERNET protocol=tcp ????
add action=accept chain=forward dst-port=35521 in-interface=WAREHOUSE out-interface=INTERNET protocol=tcp ????
add action=drop chain=forward comment="drop all other traffic"

Where
/interface list
add interface=AllowInternet

/interface list members
add interface=INTERNAL list=AllowInternet
add interfac=WIFI list=AllowInternet


???? - since I dont know the purpose hard to say but looks okay.

One question: Do you have any port forwarding rules.......??
If so you will need to add one rule just before the drop all rule.
add action=accept chain=forward comment="allow port forwarding" in-interface-list=WAN \
connection-nat-state=dstnat connection-state=new
I see that you have grouped interfaces together as a lower level filtering than filtering on bridges. - Is there a functional difference? It would be easy to switch, and in this way I can glance traffic on Window on my 3011... :-) (Can't see interface groups AFAIK on LCD)

I have no port forwarding, as this is just a simple wifi system for a warehouse. They will not be targeting anything inside.
Top
 
User avatar
atomicduck
Member Candidate
Member Candidate
Topic Author
Posts: 244
Joined: Fri Oct 02, 2020 1:42 pm

Re: Trying to allow only one port using In and Out interfaces

Tue Oct 05, 2021 8:13 pm

Your input chain rule was flawed from the beginning, it was missing the default last rule in BLUE and you added two other rules that were needed due to missing the default rules but they fail to cover any other WAN to Router traffic that would have been blocked by the proper default rule.

{Input Chain}

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=53 in-interface=!INTERNET protocol=udp
add action=accept chain=input dst-port=53 in-interface=!INTERNET protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN

The default rule in blue, basically states drop all traffic not coming from the LAN.............. No longer need the port 53 rules.


You may wish to consider better security in rules on the input chain but only if you are up to it and understand all the rules and changes we have made so far.
If you dont understand what the rules are doing then one shouldnt progress to rapidly in changing them.
Thanks. I won't go much further, because the router will not be exposed to live internet. It will be behind firewall in internal netowrk, but I still need *some* protection if need be.

Apart from that I will have to learn much more about understanding firewall before I dive into much deeper. :-I

This is what we have now, after changes and fixes:
Code: Select all
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=INVALID
add action=accept chain=forward in-interface=INTERNAL out-interface=INTERNET
add action=accept chain=forward in-interface=WIFI out-interface=INTERNET
add action=accept chain=forward comment="WAREHOUSE FULL INTERNET - TURN OFF" disabled=yes in-interface=WAREHOUSE out-interface=INTERNET
add action=accept chain=forward comment="TESTING" dst-port=80,443 in-interface=WAREHOUSE out-interface=INTERNET \
    protocol=tcp
add action=accept chain=forward dst-port=35521 in-interface=WAREHOUSE out-interface=INTERNET protocol=tcp
add action=drop chain=forward comment="drop all other traffic"
It is definitely much simpler! And works better.
Top
 
User avatar
atomicduck
Member Candidate
Member Candidate
Topic Author
Posts: 244
Joined: Fri Oct 02, 2020 1:42 pm

Re: Trying to allow only one port using In and Out interfaces

Tue Oct 05, 2021 9:38 pm

One correction (computer tricked me on testing due to cashed DNS) - I still had to enable DNS ports before input drop, because LAN interface list is defined as a bridge INTERNAL, which contains physical ports on the router. Other stuff is on another Bridges. DNS didn't work otherwise.
Code: Select all
/interface ethernet
set [ find default-name=ether1 ] name=e1-INTERNET
set [ find default-name=ether2 ] name=e2-SK-LAN
set [ find default-name=ether3 ] name=e3-PoESW1
set [ find default-name=ether4 ] name=e4-PoESW2
set [ find default-name=ether5 ] name=e5
set [ find default-name=ether6 ] name=e6
set [ find default-name=ether7 ] name=e7
set [ find default-name=ether8 ] name=e8
set [ find default-name=ether9 ] name=e9
set [ find default-name=ether10 ] name=e10-PoE
set [ find default-name=sfp1 ] disabled=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface bridge port
add bridge=URED comment=defconf interface=e2-SK-LAN
add bridge=INTERNAL comment=defconf interface=e3-PoESW1
add bridge=INTERNAL comment=defconf interface=e4-PoESW2
add bridge=INTERNAL comment=defconf interface=e5
add bridge=INTERNAL comment=defconf interface=e6
add bridge=INTERNAL comment=defconf interface=e7
add bridge=INTERNAL comment=defconf interface=e8
add bridge=INTERNAL comment=defconf interface=e9
add bridge=INTERNAL comment=defconf interface=e10-PoE
add bridge=INTERNAL comment=defconf interface=sfp1
add bridge=INTERNET interface=e1-INTERNET
/interface list member
add comment=defconf interface=INTERNAL list=LAN
add comment=defconf interface=INTERNET list=WAN
Top
Post Reply

Who is online

Users browsing this forum: Amazon [Bot], Kanzler and 24 guests
  4. RouterOS
  5. Beginner Basics