A. network diagram
B. /export config (hide any public IPs)
C. detailed description of user requirements, which users from where need port forwarding,
Light reading:
viewtopic.php?t=179343
This forum is for useful articles, beginner and general issues are where you should post next time!
thanks, this is my configuration:
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-WAN-SKY
set [ find default-name=ether4 ] name=ether4-WIFI
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge ingress-filtering=no interface=ether4-WIFI
/interface bridge settings
set allow-fast-path=no
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set route-cache=no tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
add interface=ether2-WAN-SKY list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
add address=10.7.2.1/16 comment=INTERNET interface=ether1-WAN network=\
10.7.0.0
add address=192.168.10.100/24 interface=ether2-WAN-SKY network=192.168.10.0
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" disabled=yes list=\
not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" disabled=yes list=\
not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add list=ddos-attackers
add list=ddos-target
/ip firewall filter
add action=drop chain=input comment="BLOCK DNS Wan" connection-state=new \
dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="BLOCK DNS Wan" connection-state=new \
dst-port=53 in-interface-list=WAN protocol=tcp
add action=add-src-to-address-list address-list=smb-flood \
address-list-timeout=none-dynamic chain=forward comment=\
"SMB Flood Gathering" connection-limit=100,32 dst-port=445 in-interface=\
bridge protocol=tcp
add action=add-src-to-address-list address-list=snpp-flood \
address-list-timeout=none-dynamic chain=forward comment=\
"SNPP/Backdoor Flood\r\
\nGathering" connection-limit=20,32 dst-port=444 in-interface=bridge \
protocol=tcp
add action=add-src-to-address-list address-list=msf-indication \
address-list-timeout=none-dynamic chain=forward comment=\
"Metasploit Indication" connection-limit=20,32 dst-port=4444 \
in-interface=bridge protocol=tcp
add action=add-src-to-address-list address-list=ssh-flood \
address-list-timeout=none-dynamic chain=forward comment=\
"SSH Flood Gathering" connection-limit=20,32 dst-port=22 in-interface=\
bridge protocol=tcp
add action=add-src-to-address-list address-list=telnet-flood \
address-list-timeout=none-dynamic chain=forward comment=\
"Telnet Flood\r\
\nGathering" connection-limit=20,32 dst-port=23 in-interface=bridge \
protocol=tcp
add action=log chain=forward comment="Abnormal Traffic" connection-bytes=\
80000000 disabled=yes limit=1,5:packet log-prefix=Abnormal-Traffic
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=forward comment="Port scanners to list " \
in-interface=!bridge log-prefix="port scanner" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=DoS_Attacked \
address-list-timeout=5m chain=input comment=DoS_Attacked \
connection-limit=32,32 protocol=tcp
add action=tarpit chain=input comment=DoS_Attacked connection-limit=10,32 \
protocol=tcp src-address-list=DoS_Attacked
add action=drop chain=forward comment="Bloccare IP addresses BOGON" \
src-address=0.0.0.0/8
add action=return chain=detect-ddos comment="SYN-ACK Flood" dst-limit=\
32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack
add action=drop chain=forward comment="dropping port scanners" \
src-address-list="port scanners"
add action=drop chain=input comment="dropping port scanners" \
src-address-list="port scanners"
add action=drop chain=input comment="drop echo request" icmp-options=8:0 \
in-interface-list=WAN protocol=icmp
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow source quench" icmp-options=4:0 \
protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=accept chain=input comment="Allow Established connections" \
connection-state=established,related
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="ACCETTA TRAFFICO DA WIREGUARD" \
in-interface=TUNNEL-NEGOZIO src-address=192.168.0.0/24
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=add-src-to-address-list address-list=FW_Block_unkown_port \
address-list-timeout=1d chain=input comment=\
"Add IP of user to access list if they have tried port that is not open." \
disabled=yes in-interface-list=WAN log-prefix=FI_AS_port-test \
src-address=!10.7.0.1
add action=drop chain=icmp comment="deny all other types"
add action=drop chain=input comment="Drop Invalid connections" \
connection-state=invalid in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=drop chain=input comment="BLOCCO BLACKLIST" connection-state=new \
in-interface-list=!LAN src-address-list=blacklist
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed NO DROP TUNNEL TRAFFIC" \
connection-nat-state=!dstnat connection-state=new dst-address-list=!SMB \
in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed NO DROP TUNNEL TRAFFIC" \
connection-nat-state=!dstnat connection-state=new dst-address-list=!SMB \
in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
dst-address-list=no_forward_ipv4
add action=drop chain=forward comment="Drop invalid connections" \
connection-state=invalid
/ip firewall mangle
add action=change-ttl chain=prerouting comment="NO TRaceroute" new-ttl=\
increment:1 passthrough=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment="WEBCAM CASA" dst-port=8181 \
in-interface=ether1-WAN protocol=tcp src-address=!192.168.0.0/24 \
to-addresses=192.168.1.51 to-ports=8080
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" \
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" \
icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" \
icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\
5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\
11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
add action=drop chain=prerouting comment=DDOS dst-address-list=ddos-target \
src-address-list=ddos-attackers
add action=drop chain=prerouting comment="DNS Amplification" dst-port=53 \
in-interface-list=WAN protocol=udp
add action=drop chain=prerouting comment=\
"Well-Known Virus/Flooding Port- esscludo ip nas" dst-address-list=!SMB \
dst-port=445,2000,4444,444 in-interface-list=LAN protocol=tcp
add action=drop chain=prerouting comment="Memcached Flood" in-interface-list=\
LAN protocol=udp src-port=11211
add action=drop chain=prerouting comment="drop port scanner" \
src-address-list="port scanners"
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
in-interface-list=WAN log=yes src-address-list=not_global_ipv4
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" \
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" \
icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" \
icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\
5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\
11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
add action=drop chain=prerouting in-interface-list=WAN protocol=!tcp \
src-address=!x.x.x.x src-address-list=FW_Block_unkown_port
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
10.7.0.1 pref-src=0.0.0.0 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=no distance=2 dst-address=192.168.5.0/24 gateway=192.168.1.100 \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=192.168.0.0/24 \
gateway=10.0.8.1 pref-src=0.0.0.0 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.10.1 pref-src=0.0.0.0 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.1.0/24,10.0.8.0/30,192.168.0.11/32 port=1170
set api-ssl disabled=yes
/system ntp client
set mode=broadcast
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=ether1-WAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no