Why would you have one that allows all then allows all by source list again?
Code: Select all
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
Code: Select all
# dec/04/2021 23:53:09 by RouterOS 6.49.1
# software id = 7JH6-RDZ4
#
# model = RB760iGS
# serial number = xxxxxxx
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=sfp1 ] advertise="10M-half,10M-full,100M-half,100M-ful\
l,1000M-half,1000M-full,2500M-full,5000M-full" name=Fiber \
rx-flow-control=auto tx-flow-control=auto
/interface vlan
add interface=Fiber name="Fiber Vlan" vlan-id=35
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=172.16.0.50-172.16.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 lease-script=":local DHCPt\
ag\
\n:set DHCPtag \"#DHCP\"\
\n\
\n:if ( [ :len \$leaseActIP ] <= 0 ) do={ :error \"empty lease address\" }\
\n\
\n:if ( \$leaseBound = 1 ) do=\\\
\n{\
\n :local ttl\
\n :local domain\
\n :local hostname\
\n :local fqdn\
\n :local leaseId\
\n :local comment\
\n\
\n /ip dhcp-server\
\n :set ttl [ get [ find name=\$leaseServerName ] lease-time ]\
\n network \
\n :set domain [ get [ find \$leaseActIP in address ] domain ]\
\n \
\n .. lease\
\n :set leaseId [ find address=\$leaseActIP ]\
\n\
\n# Check for multiple active leases for the same IP address. It's weird a\
nd it shouldn't be, but just in case.\
\n\
\n :if ( [ :len \$leaseId ] != 1) do=\\\
\n {\
\n :log info \"DHCP2DNS: not registering domain name for address \$lease\
ActIP because of multiple active leases for \$leaseActIP\"\
\n :error \"multiple active leases for \$leaseActIP\"\
\n } \
\n\
\n :set hostname [ get \$leaseId host-name ]\
\n :set comment [ get \$leaseId comment ]\
\n /\
\n\
\n :if ( [ :len \$hostname ] <= 0 ) do={ :set hostname \$comment }\
\n\
\n :if ( [ :len \$hostname ] <= 0 ) do=\\\
\n {\
\n :log error \"DHCP2DNS: not registering domain name for address \$lea\
seActIP because of empty lease host-name or comment\"\
\n :error \"empty lease host-name or comment\"\
\n }\
\n :if ( [ :len \$domain ] <= 0 ) do=\\\
\n {\
\n :log error \"DHCP2DNS: not registering domain name for address \$lea\
seActIP because of empty network domain name\"\
\n :error \"empty network domain name\"\
\n }\
\n\
\n :set fqdn \"\$hostname.\$domain\"\
\n \
\n /ip dns static\
\n :if ( [ :len [ find name=\$fqdn and address=\$leaseActIP and disabled=\
no ] ] = 0 ) do=\\\
\n {\
\n :log info \"DHCP2DNS: registering static domain name \$fqdn for addr\
ess \$leaseActIP with ttl \$ttl\"\
\n add address=\$leaseActIP name=\$fqdn ttl=\$ttl comment=\$DHCPtag dis\
abled=no\
\n } else=\\\
\n {\
\n :log error \"DHCP2DNS: not registering domain name \$fqdn for addres\
s \$leaseActIP because of existing active static DNS entry with this name \
or address\" \
\n }\
\n /\
\n} \\\
\nelse=\\\
\n{\
\n /ip dns static\
\n :local dnsDhcpId \
\n :set dnsDhcpId [ find address=\$leaseActIP and comment=\$DHCPtag ]\
\n\
\n :if ( [ :len \$dnsDhcpId ] > 0 ) do=\\\
\n {\
\n :log info \"DHCP2DNS: removing static domain name(s) for address \$l\
easeActIP\"\
\n remove \$dnsDhcpId\
\n }\
\n /\
\n}" name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
LAN wan-interface-list=WAN
/interface list member
add interface="Fiber Vlan" list=WAN
add interface=bridge1 list=LAN
add interface=Fiber list=WAN
/ip address
add address=172.16.0.1/12 interface=bridge1 network=172.16.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=172.16.0.0/12 dns-server=172.16.0.1 domain=local gateway=\
172.16.0.1 netmask=12
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=172.16.0.2-172.16.0.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
/ip firewall filter
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
protocol=icmp
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=\
"Fiber Vlan" log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface=bridge1 log=\
yes log-prefix=LAN_!LAN src-address=!128.0.0.0/1
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface=bridge1 log=\
yes log-prefix=LAN_!LAN src-address=!172.16.0.0/12
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall nat
add action=masquerade chain=srcnat comment="hairpin NAT" dst-address=\
172.16.0.0/12 src-address=172.16.0.0/12
add action=masquerade chain=srcnat comment=NAT out-interface-list=WAN \
src-address=172.16.0.0/12
add action=dst-nat chain=dstnat comment="http to traefik" dst-address-list=\
wan-ip dst-port=80 protocol=tcp to-addresses=172.16.0.10 to-ports=80
add action=dst-nat chain=dstnat comment="https to traefik" dst-address-list=\
wan-ip dst-port=443 protocol=tcp to-addresses=172.16.0.10 to-ports=443
add action=dst-nat chain=dstnat comment=transmission dst-address-list=wan-ip \
dst-port=55555 protocol=tcp to-addresses=172.16.0.10 to-ports=55555
add action=dst-nat chain=dstnat comment=transmission-udp dst-address-list=\
wan-ip dst-port=55555 protocol=udp to-addresses=172.16.0.10 to-ports=\
55555
add action=dst-nat chain=dstnat comment="ssh to dckr1" dst-address-list=\
wan-ip dst-port=8002 protocol=tcp to-addresses=172.16.0.10 to-ports=22
add action=dst-nat chain=dstnat dst-address-list=wan-ip dst-port=8003 \
protocol=tcp to-addresses=172.16.0.2 to-ports=22
/ip smb
set domain=local interfaces=bridge1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface="Fiber Vlan" type=external
add interface=bridge1 type=internal
/system clock
set time-zone-name=America/Halifax
/system identity
set name=rotorouter
/system package update
set channel=upgrade