Wed Jun 08, 2022 2:16 pm
Many Thanks Sindy, Please follow firewall and NAT config,
/ip firewall filter
add action=accept chain=input src-address=xxx.xxx.xxx.236/30 #for BGP allow
add action=accept chain=output dst-address=xxx.xxx.xxx.236/30 #for BGP allow
add action=accept chain=input src-address=xxx.xxx.xxx.244/30 #for BGP allow
add action=accept chain=output dst-address=xxx.xxx.xxx.244/30 #for BGP allow
add action=accept chain=input protocol=icmp src-address=103.xxx.xxx.0/24 #ISP ping allow
add action=accept chain=output dst-address=103.xxx.xxx.0/24 protocol=icmp #ISP ping allow
add action=accept chain=output icmp-options=8:0-255 protocol=icmp \
src-address=103.xxx.xxx.64/26 #self ping allow
add action=accept chain=input dst-address=103.xxx.xxx.64/26 icmp-options=\
0:0-255 protocol=icmp #self ping allow
add action=accept chain=output connection-state=established,new dst-port=\
53,123 protocol=udp src-address=xxx.xxx.xxx.246 #ISP dns/ntp query allow
add action=accept chain=input connection-state=established,related \
dst-address=xxx.xxx.xxx.246 protocol=udp src-port=53,123 #ISP dns/ntp query allow
add action=accept chain=output connection-state=established,new dst-port=\
53,123 protocol=udp src-address=xxx.xxx.xxx.238 #ISP dns/ntp query allow
add action=accept chain=input connection-state=established,related \
dst-address=xxx.xxx.xxx.238 protocol=udp src-port=53,123 #ISP dns/ntp query allow
add action=accept chain=input connection-state=!invalid src-address=\
192.168.0.0/22
add action=accept chain=output connection-state=!invalid dst-address=\
192.168.0.0/22
add action=accept chain=forward protocol=icmp src-address=\
192.168.0.0/22
add action=accept chain=forward dst-address=192.168.0.0/22 \
protocol=icmp
add action=drop chain=input
add action=drop chain=output
add action=drop chain=forward dst-address=10.0.0.0/8 in-interface=bridge1
add action=drop chain=forward dst-address=172.16.0.0/12 in-interface=bridge1
add action=drop chain=forward dst-address=192.168.0.0/16 in-interface=bridge1
add action=reject chain=forward content=facebook.com dst-port=80,443 \
in-interface=bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=browsec dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=netflix dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=hoxx dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=hotspotshield dst-port=80,443 \
in-interface=bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=bitcoin dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=anchorfree dst-port=80,443 \
in-interface=bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=openvpn dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=hoichoi dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=primevideo dst-port=80,443 \
in-interface=bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=fundesh dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=torrent dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=finevpn dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=vpn-club dst-port=80,443 \
in-interface=bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward content=vpnclub dst-port=80,443 in-interface=\
bridge1 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=forward dst-address=xxx.xxx.100.35 in-interface=\
bridge1 reject-with=icmp-network-unreachable
add action=reject chain=forward dst-address=xxx.xxx.192.0/24 in-interface=\
bridge1 reject-with=icmp-network-unreachable
add action=accept chain=forward connection-state=established,new src-address=\
192.168.0.0/22
add action=accept chain=forward connection-state=established,related \
dst-address=192.168.0.0/22
add action=drop chain=forward src-address=!192.168.0.0/22
add action=drop chain=forward dst-address=!192.168.0.0/22
/ip firewall nat
add action=src-nat chain=srcnat src-address=xxx.xxx.xxx.246 to-addresses=\
xxx.xxx.xxx.64/30
add action=src-nat chain=srcnat src-address=xxx.xxx.xxx.238 to-addresses=\
xxx.xxx.xxx.64/30
add action=src-nat chain=srcnat connection-limit=100,0 dst-limit=\
1,1,dst-address/10s limit=1,1:packet protocol=icmp src-address=\
192.168.0.0/22 to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat dst-port=\
20-23,80,443,1723,4244,5242,5243,7985,500,515,1352,1533,3389,3390 \
protocol=tcp src-address=192.168.0.0/22 to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat dst-port=\
5050,5902,7618,8889,444,3128,3478,1158,1521,5500,5901,5900,4848,8189,8888 \
protocol=tcp src-address=192.168.0.0/22 to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat dst-port="3313,83,2047,2048,5051,5052,5081,8081\
,8082,8084,8443,8554,9080,40000-40010" protocol=tcp src-address=\
192.168.0.0/22 to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat dst-port="554,2099,4244,4443,5222,5223,5228-523\
0,5242,6313,10443,30000,33899,50318,59234" protocol=tcp src-address=\
192.168.0.0/22 to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat dst-port=\
6000-6016,7100,8090,8787,10554,20002,20014,31000-31012,40014 protocol=tcp \
src-address=192.168.0.0/22 to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat dst-port=\
20,123,500,515,1723,5000,5010,5050,5081,5100,8889,2047,2048,3478,5051 \
protocol=udp src-address=192.168.0.0/22 to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat dst-port=\
554,4500,5052,8081,8082,8084,8554,34784,45395,50318,59234,49000-50010 \
protocol=udp src-address=192.168.0.0/22 to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat protocol=gre src-address=192.168.0.0/22 \
to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat protocol=ipsec-esp src-address=192.168.0.0/22 \
to-addresses=xxx.xxx.xxx.64/26
add action=netmap chain=srcnat protocol=ipsec-ah src-address=192.168.0.0/22 \
to-addresses=xxx.xxx.xxx.64/26