First thing to note is that I have included updated instructions for the use of one port [ether5?] (for emergency access to the router) that is OFF the bridge and thus if you screw up the bridge at all during a configuration, you can easily access the router via the dedicated emergency port or rather just configure from the dedicated port as you see fit. The ones I gave you earlier were not quite right.
viewtopic.php?t=181718
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember input chain is TO the router. So for example ICMP is to allow the router itself to be pinged by ICMP protocol which turns out to be quite a useful testing tool for the admin in a variety of scenarios.
The capsman rule here is if you intend to run capsman functionality to control all your MT access points. Its another layer of complexity that should be avoided by the new user until they understand how to control wifi without out (plus its really only of value if you have more than 3 access points). Remove or disable it.
Correct the LAN users need access to the router for router services, commonly this IS ONLY dns service but sometimes NTP and sometimes Upnp etc.........
WIth this in mind lets go to a change to make in the router firewall rules.
We are going to change the one allow LAN list rule to:
a. only allow the interface the admin uses most of the time FULL access tot he router (for config purposes).
b. everyone else only needs DNS services
add action=accept chain=input in-interface=vlan20 (or whatever name the personal one is)
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=
LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=
LAN protocol=tcp
If your personal vlan was not the one you use all the time and it was the family one, then you
would use the family vlan but also src-address-list=authorized to narrow down to only devices you use (desktop,laptop,smartphone,ipad etc.....)
+++++++++++++++++++++++++++++++
Forward chain
yes fastrack allows the router to take shortcuts when moving traffic around so it speeds things up.
If you use functionality of MANGLING, one usually disables fastrack, and there are a few other instances where that may occur.
Yup, invalid traffic, traffic that is deemed not correct assuming in format, is dropped....
Yup port forwarding to a server, normally used if you have external access to a device such as an FTP server or NAS etc...
So we come to the next gate. You are well setup for traffic on the forward chain but because of the drop all rule you stop all traffic between vlans.
SO now you want all to access shared resources.
add action=accept chain=forward in-interface-list=LAN out-interface-=vlan10 (or whatever the name is).
Now, lets say you didnt have a dedicated subnet for shared resources and you had them on your personal vlan.
add action=accept chain=forward in-interface-list=LAN out-interface=vlan20 dst-address list=shared-devices
where shared devices is a firewall address list
add ip=ip of printer list=shared-devices
add ip=ip of scanner list=shared devices
etc...
In this way the rule states for all traffic coming from all LANs headed to the personal vlan ALLOW traffic headed for the specific IPs on that vlan.
Hopefully you get the idea!!!