Sat Nov 13, 2021 5:35 am
Well, cannot resist the borg.............
Your config needs work IMHO.
First thing is remove the bridge from any dhcp and just let it be a bridge.
Thus make vlan11 your Management vlan and make the necessary changes.
All smart devices connected to the router should get an IP address on this vlan 11 subnet (192.168.1.0/24) name=Management
Then look at your interface lists.
You make one that says ALL LAN, but you already have the default labelled LAN, so it was duplication for nothing.
Interface lists are best used for GROUPS of whole subnets for example if 2/4 vlans were supposed to have internet access but the other two didnt.
Then making an interface list called INTERNET would make sense.
Rare is the case to make ONE subnet also an interface list member but for management purposes, it makes sense as you will see by the last comment I make below.
SO
from
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name="All Lan"
/interface list member
add comment=defconf interface=ether1-WAN1 list=WAN
add interface=bridge list=LAN
add interface="Main Network" list=LAN
add interface=bridge list="All Lan"
add interface=Bench list="All Lan"
add interface=IoT list="All Lan"
add interface=Kids list="All Lan"
add interface="Main Network" list="All Lan"
add interface=ether8-WAN2 list=WAN
TO
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=CONTROL
/interface list member
add comment=defconf interface=ether1-WAN1 list=WAN
add interface=ether8-WAN2 list=WAN
add interface="Main Network" list=LAN
add interface=Bench list=LAN
add interface=IoT list=LAN
add interface=Kids list=LAN
add interface=Management list=LAN
add interface=Management list=CONTROL
If you dont need this for anything and changing it to none doesnt take away anything you do.
then recommend this (known to cause issues)
/interface detect-internet
set detect-interface-list=none
I find this weird, 4 vlans in the config (five the way I do it) and yet you have no access bridge ports (no pvid settings and thus none going to dumb devices like a PC, or printer).
Are they all going to smart devices (managed switches, smart access points etc..?)
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
Why do you set ingress filtering to NO............They should all be YES, unless its a hybrid port!!
WHERE is this setting MISSING
/interface bridge vlans ???????????
The firewall filter rules are a bad mix of misinformation, youtube and not understanding how the rules actually work
Best to keep to the defaults UNTIL you know what you are doing.
For example all one has to do is see these three rules to make that determination.
1-add action=accept chain=forward comment="Accept Port Forward Traffic" \
connection-nat-state=dstnat connection-state="" in-interface-list=WAN
2-add action=drop chain=forward comment="Drop Everything Else"
3-add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
Rules 1 and 3 contradict/overlap each other a bit, rule 1 says allow port forwarded traffic from the WAN (good rule if you have a block all rule at the end). Rule 3 says block all traffic from the WAN except port forwarded traffic. BUT you have already allowed port forwarded traffic. Then before rule 3 is rule 2 which states, drop everything else. So rule 3 will never get used.
Rule 2, the drop all rule at the end of the forward chain is excellent (KEEP!!) but it has to be the last rule.
What this rules says is that -
all traffic that makes it to this rule (not matched previously) shall be dropped.
So any WAN to LAN, LAN to WAN or LAN to LAN traffic that touches this rule will be dropped.
So the key is to, other than the default rules,...............ensure you put in what you want to allow just before the drop all rule!
typical entries
- allow lan to wan (internet)
- allow port forwarding
-allow shared access to a printer
-allow admin access to all vlans.
SO this is what it should look like: (first three rules of input chain are good default rules)
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Input Rule For ZeroTier" in-interface=\
zerotier1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=WAN
So all traffic from WAN to ROUTER is blocked with the last rule, AND by inference all LAN traffic to ROUTER is allowed.
Thee next step (another day) will be to change this to BLOCK all LAN to ROUTER traffic and only allow necessary traffic - but not yet, need to understand how rules work first.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
(first three default rules are good and should be in place)
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log=yes
add action=accept chain=forward comment="Permit Internet Traffic" in-interface-list=LAN\
out-interface-list=WAN
add action=accept chain=forward comment="Accept Port Forward Traffic" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Allow Printing from IoT Network" \
dst-address=192.168.10.5 in-interface=IoT
add action=accept chain=forward comment="Allow kid access to HomePod Mini " \
dst-address=192.168.10.104 in-interface=Kids
add action=drop chain=forward comment="Drop Everything Else"
I removed the rule I didnt understand and if you can explain its purpose we can put it back in with accuracy.........
add action=accept chain=forward comment="Allow Main Network Open Access" \
in-interface="Main Network"
ON NAT Rules..........
Okay the first two rules seem to be redirect rules, what they do is ensure PCs cannot use their own DNS settings as they will all be redirected to the router (fixed list)
add action=redirect chain=dstnat dst-port=53 in-interface-list=LAN \
protocol=tcp to-ports=53
add action=redirect chain=dstnat dst-port=53 in-interface-list=LAN \
protocol=udp to-ports=53
add action=masquerade chain=srcnat dst-address=192.168.1.10 dst-port=32400 \
protocol=tcp
However, I dont understand the purpose of the third source nat masquerade rule??????
Where did you find this rule.??? I have not seen it used that I can recall so just curious.
/ip firewall connection tracking
set enabled=yes
What is the purpose of the MANGLE rules you have???
Modify the following
from
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
TO
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=CONTROL