So I’m hoping someone could take a look at my IP> Firewall settings, and give me some insight as to whether it looks good (or bad), any changes I need to make, and for extra credit – I’d like to get my VPN working.
My confusion is mostly in regards to the sequence or order of the interpreted rules, but I’m learning as I go .
In regards to my VPN, I’m running OpenVPN on a local raspberrypi server. When I turn on the Firewall> Filter Rules> “allow OpenVPN” (and NAT rule), it fails to connect. This could easily be an issue with my vpn server, windows firewall, etc – and I’ll probably be able to troubleshoot through it, but in the event something is glaring in my Mikrotik Firewall settings, I’d be very grateful for the insight someone may have. Note, the VPN worked fine with the previous router with the same settings, only change is new Mikrotik router.
Sorry, for the long post, just trying to give all info. Thank you!
IP> Firewall> Filter Rules:
Code: Select all
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 X ;;; Kept trying to ssh in. This blocked him, but instead set an IP Services Available From for SSH to only local IPs.
chain=input action=drop src-address=185.53.90.111 log=no log-prefix=""
2 ;;; accept established,related
chain=input action=accept log=no log-prefix=""
3 chain=input action=accept src-address-list=allowed_to_router
4 chain=input action=drop connection-state=invalid log=no log-prefix=""
5 X ;;; allow OpenVPN
chain=input action=accept protocol=udp dst-port=1194 log=yes log-prefix="vpn_filter_rules"
6 ;;; Allow Port Forwarding - DSTNAT
chain=forward action=accept connection-nat-state=dstnat log=no log-prefix="dstnat_portf"
7 ;;; allow ICMP
chain=input action=accept protocol=icmp in-interface=ether1 log=no log-prefix=""
8 ;;; allow Winbox
chain=input action=accept protocol=tcp in-interface=ether1 src-port="" port=8291 log=no log-prefix=""
9 ;;; allow SSH
chain=input action=accept protocol=tcp in-interface=ether1 src-port="" port=2200 log=no log-prefix=""
10 ;;; block everything else
chain=input action=drop in-interface=ether1 log=yes log-prefix="fw5"
11 ;;; fast-track for established,related
chain=forward action=fasttrack-connection connection-state=established,related
12 ;;; accept established,related
chain=forward action=accept connection-state=established,related
13 chain=forward action=drop connection-state=invalid
14 ;;; drop access to clients behind NAT form WAN
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1
15 ;;; Drop packets from LAN that do not have LAN IP
chain=forward action=drop src-address=!192.168.88.0/24 in-interface=local log=yes log-prefix="LAN_!LAN"
Code: Select all
0 X chain=dstnat action=dst-nat to-addresses=192.168.88.254 protocol=tcp in-interface=ether1 port=3389 log=no log-prefix=""
1 chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""
2 X ;;; OpenVPN
chain=dstnat action=dst-nat to-addresses=192.168.88.229 to-ports=1194 protocol=udp in-interface=ether1 dst-port=1194 port=1194 log=yes log-prefix="vpn_nat_rules"
3 ;;; Send and redirect all DNS requests to the piHole
chain=dstnat action=dst-nat to-addresses=192.168.88.229 protocol=udp src-address=!192.168.88.229 dst-address=!192.168.88.229 in-interface=local dst-port=53 log=no log-prefix="piholednsrule1"
4 ;;; Masquerade rules for both types of traffic to hide the source
chain=srcnat action=masquerade protocol=udp src-address=192.168.88.0/24 dst-address=192.168.88.229 dst-port=53 log=no log-prefix="piholednsrule2"
5 ;;; PLEX
chain=dstnat action=dst-nat to-addresses=192.168.88.237 protocol=tcp in-interface=ether1 dst-port=32400 log=no log-prefix=""
Code: Select all
0 allowed_to_router 192.168.88.2-192.168.88.254 sep/22/2021 08:30:27
1 ;;; RFC6890
not_in_internet 0.0.0.0/8 sep/22/2021 08:36:20
2 ;;; RFC6890
not_in_internet 172.16.0.0/12 sep/22/2021 08:36:20
3 ;;; RFC6890
not_in_internet 192.168.0.0/16 sep/22/2021 08:36:20
4 ;;; RFC6890
not_in_internet 10.0.0.0/8 sep/22/2021 08:36:20
5 ;;; RFC6890
not_in_internet 169.254.0.0/16 sep/22/2021 08:36:20
6 ;;; RFC6890
not_in_internet 127.0.0.0/8 sep/22/2021 08:36:20
7 ;;; Multicast
not_in_internet 224.0.0.0/4 sep/22/2021 08:36:20
8 ;;; RFC6890
not_in_internet 198.18.0.0/15 sep/22/2021 08:36:20
9 ;;; RFC6890
not_in_internet 192.0.0.0/24 sep/22/2021 08:36:20
10 ;;; RFC6890
not_in_internet 192.0.2.0/24 sep/22/2021 08:36:20
11 ;;; RFC6890
not_in_internet 198.51.100.0/24 sep/22/2021 08:36:20
12 ;;; RFC6890
not_in_internet 203.0.113.0/24 sep/22/2021 08:36:20
13 ;;; RFC6890
not_in_internet 100.64.0.0/10 sep/22/2021 08:36:20
14 ;;; RFC6890
not_in_internet 240.0.0.0/4 sep/22/2021 08:36:20
15 ;;; 6to4 relay Anycast [RFC 3068]
not_in_internet 192.88.99.0/24 sep/22/2021 08:36:27