this rule is on top, but ports are opened. (action is DROP)
Why?
yeah, ofcourse, also didnt work with single interfaceIs your WAN interface in your WAN Interface list?
Please post config if you want assistance.......
/export hide-sensitive file=anynameyouwish
# dec/02/2021 20:25:24 by RouterOS 6.49.1
# software id = YTJ3-10KN
#
# model = 951Ui-2HnD
# serial number = 80F1088227E6
/interface bridge
add admin-mac=CC:2D:E0:07:87:93 auto-mac=no comment=\
"created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
ether1-GW1
set [ find default-name=ether2 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether3 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether5 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
ether5-GW2
/interface l2tp-client
add connect-to=L2TP_WAN1 name=l2tp-maxbet user=cukarickapadina
add connect-to=L2TP_WAN2 disabled=no name=l2tp-out1 user=mt099250
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
20/40mhz-Ce country=no_country_set default-forwarding=no disabled=no \
distance=indoors frequency-mode=manual-txpower mode=ap-bridge ssid=\
"MaxBet Free WiFi" station-roaming=enabled
/interface vlan
add interface=ether5-GW2 name=vlan1 vlan-id=3100
/interface list
add name=WAN
/ip pool
add name=dhcp_pool1 ranges=10.10.105.100-10.10.105.250
add name=hs-pool-6 ranges=10.5.50.2-10.5.50.254
add name=poolPrivateWiFi ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge1 lease-time=20m \
name=dhcp1
add address-pool=hs-pool-6 disabled=no interface=wlan1 lease-time=2h name=\
dhcp_myWiFi
add address-pool=poolPrivateWiFi disabled=no interface="private WLAN" \
lease-time=3d name=dhcpPrivateWiFi
/ip hotspot
add address-pool=hs-pool-6 addresses-per-mac=unlimited disabled=no interface=\
wlan1 name=hotspot_99_250
/queue simple
add max-limit=10M/2M name=DVR target=10.10.105.116/32
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set rp-filter=loose tcp-syncookies=yes
/interface list member
add interface=ether1-GW1 list=WAN
add interface=ether5-GW2 list=WAN
add interface=vlan1 list=WAN
/ip address
add address=10.10.105.1/24 interface=bridge1 network=10.10.105.0
add address=WAN1.94/30 interface=vlan1 network=WAN1.92
add address=192.168.0.200/24 interface=ether1-GW1 network=192.168.0.0
add address=10.5.50.1/24 comment="hotspot network" interface=wlan1 network=\
10.5.50.0
add address=192.168.100.1/24 comment="private WLAN" interface=\
"private WLAN" network=192.168.100.0
/ip arp
add address=10.10.105.116 comment=DVR interface=bridge1 mac-address=\
9C:14:63:A3:0A:07
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add interface=ether1-GW1 use-peer-dns=no use-peer-ntp=no
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.4.4
/ip firewall filter
add action=drop chain=input dst-port=2000,5060,8009,8010 in-interface-list=\
WAN protocol=tcp
add action=drop chain=input dst-port=2000,5060,8009,8010 in-interface-list=\
WAN protocol=udp
add action=drop chain=forward comment="Drop !DNS" dst-address-list=!DNS \
dst-port=53 protocol=udp src-address=10.10.105.0/24
add action=drop chain=forward comment="Drop !DNS" dst-address=10.10.105.0/24 \
dst-port=53 protocol=udp src-address-list=!DNS
add action=drop chain=input dst-address=10.10.105.0/24 protocol=icmp \
src-address=!10.100.0.100 src-address-list=BlockLAN
add action=drop chain=forward dst-address=!10.100.0.100 dst-address-list=\
BlockLAN protocol=icmp src-address=10.10.105.0/24
add action=add-src-to-address-list address-list=trusted address-list-timeout=\
1m chain=input in-interface=vlan1 protocol=icmp
add action=add-src-to-address-list address-list=secured address-list-timeout=\
1h chain=input dst-port=2311 in-interface=vlan1 protocol=tcp \
src-address-list=trusted
add action=drop chain=input dst-port=8291 in-interface=vlan1 protocol=tcp \
src-address-list=!secured
add action=reject chain=forward dst-port=443 protocol=tcp src-address-list=\
!Social tls-host=*.youtube.com
add action=reject chain=forward dst-port=443 protocol=tcp src-address-list=\
!Social tls-host=*.youtube.com
add action=drop chain=forward dst-address=10.100.200.0/24 src-address=\
10.10.105.0/24
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add chain=input dst-port=4500 protocol=udp
add chain=input dst-port=500 protocol=udp
add chain=input protocol=ipsec-esp
add chain=input protocol=ipsec-ah
add chain=input comment="default configuration-mywifi" protocol=icmp
add chain=input comment="default configuration-mywifi" connection-state=\
established
add chain=input comment="default configuration-mywifi" connection-state=\
related
add chain=input dst-port=8291 protocol=tcp
add action=drop chain=input comment="default configuration-mywifi" \
in-interface=ether1-GW1
add chain=forward comment="default configuration-mywifi" connection-state=\
established
add chain=forward comment="default configuration-mywifi" connection-state=\
related
add action=drop chain=forward comment="default configuration-mywifi" \
connection-state=invalid
add chain=input dst-port=3799 protocol=udp
add action=accept chain=forward comment="Allow Est, Rel" connection-state=\
established,related
add action=accept chain=input comment="Allow Est, Rel" connection-state=\
established,related
add action=accept chain=input comment=SSH dst-port=4777 protocol=tcp \
src-address-list=BGaddresses
add action=accept chain=input comment=SSH dst-port=4777 protocol=tcp \
src-address-list=NSaddresses
add action=accept chain=input comment=WinBox dst-port=8291 protocol=tcp \
src-address-list=NSaddresses
add action=accept chain=input comment=WinBox dst-port=8291 protocol=tcp \
src-address-list=BGaddresses
add action=accept chain=input comment="Allow ICMP" protocol=icmp \
src-address-list=BGaddresses
add action=accept chain=input comment="Allow ICMP" protocol=icmp \
src-address-list=NSaddresses
add action=drop chain=forward comment="Drop Inv." connection-state=invalid
add action=drop chain=input comment="Drop Inv." connection-state=invalid
add action=drop chain=input comment="IN-Block Shodan" src-address-list=\
shodan
add action=drop chain=input comment="IN-Pingers Block" \
src-address-list=pingeri
add action=drop chain=input disabled=yes packet-size=200-65535 protocol=icmp
add action=drop chain=forward disabled=yes packet-size=200-65535 protocol=\
icmp
add action=jump chain=forward comment="SYN Flood protect FORWARD" \
connection-state=new disabled=yes jump-target=syn-attack protocol=tcp \
tcp-flags=syn
add action=jump chain=input comment="SYN Flood protect INPUT" \
connection-state=new disabled=yes jump-target=syn-attack protocol=tcp \
tcp-flags=syn
add action=accept chain=syn-attack connection-state=new disabled=yes limit=\
400,5:packet protocol=tcp tcp-flags=syn
add action=drop chain=syn-attack connection-state=new disabled=yes protocol=\
tcp tcp-flags=syn
add action=masquerade chain=srcnat out-interface=ether1-GW1
add action=masquerade chain=srcnat out-interface=bridge1
add action=masquerade chain=srcnat out-interface=vlan1
add action=masquerade chain=srcnat src-address=192.168.100.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=10.5.50.0/24 to-addresses=0.0.0.0
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add check-gateway=ping distance=1 gateway=8.8.4.4
add check-gateway=ping distance=2 gateway=8.8.8.8
add distance=1 dst-address=8.8.4.4/32 gateway=WAN1.93 scope=10
add distance=2 dst-address=8.8.8.8/32 gateway=192.168.0.1 scope=10
add disabled=yes distance=1 dst-address=WLAN_IP.17/32 gateway=10.63.0.0
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/radius
add address=WLAN_IP.17 service=hotspot timeout=3s
/radius incoming
set accept=yes
/system clock
set time-zone-name=Europe/Belgrade
/system identity
set name="SOME RANDOM "
/system ntp client
set enabled=yes primary-ntp=195.178.58.245 secondary-ntp=195.250.114.105
/tool bandwidth-server
set authenticate=no enabled=no
Reading as I go along
You have bridge and one vlan = 2 dhcp type interfaces
But you have 3 pools??
Your interface list only contains WAN ???
Now I see you have 2 WANS,
ether1
ether5 - which is what VLAN1 runs on.
Okay so you have another subnet not identified for the hotspot 10.5.50.0/24,
No dhpc no nothing........not sure how hotspots work though.
Your firewall rules and source nat rules are convoluted and messy for my taste.
Conceptually there is something missing in what you are doing with this device that I dont understand, seems overly complex.
i remove some those things irrelevant for thisOkay so you have another subnet not identified for the hotspot 10.5.50.0/24,
No dhpc no nothing........not sure how hotspots work though.
add interface=vlan1 list=WAN
i added it but results are the sameYou would be far better off going back to the default firewall rules and then adding what is only necessary from there............
Such as any legitimate VPN rules on the input chain to allow initial connection of the tunnel
add action=accept chain=input "allow vpn connection" dst-ports=X,Y,Z {needed for VPN} in-interface-list=WAN
Anything not VPN should not be open on the Input chain.
There are additional rules required to block stuff from the WAN as you have done on your config, the last rule on the input chain below covers all of them.
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 {remove if not needed}
add action=drop chain=input comment="drop all coming from WAN" in-interface-list=WAN
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=\
new in-interface-list=WAN
understand your logic, but these ports are unfamiliar for me: 2000,5060,8009,8010Yes those ports have to be open for the initial VPN connection of the tunnel as per the config.
There is nothing wrong with this behaviour.
The only thing you could do is limit access by source address if that was possible which may make them appear closed or invisible (which is the case for ports forwarded to the LAN for dst-nat).
Unfortunately you probably have at least one vpn source which is your iphone so you can VPN in from anywhere and thus a source address list would not help.