Evenin' Folks
I have a new RB750 and an older RB2011.
There will only be 3 devices on the RB2011. I have reset it and kept the default config in winbox and I have reset it and tried quickset. It seems with the PPOE connection picked in Quickset, it properly assigns dynamic DNS from the ISP. I had to manually enter DNS servers when adding the PPOE manually after keeping winbox defaults, even with use peer dns checked. So I started with the defconf from quickset. I am at the point of setting up the firewall and have a few questions.
I set up the RB maybe 6 years ago using PPOE internet with help from this forum. Not really working with ROS for so long I am wondering what best practice might be in regards to changes in the modern configs.
I did not have fasttrack then for example. The defconf firewall had to be changed to accomodate PPOE but it seems OK now using interface lists.
I previously had all Bogons in a single address list and they were filtered only in the forward chain. I see in Mikrotik help>Advanced Firewall, the suggestion is to add the Bogon filter(s) in the Raw chain along with a jump to a very specific ICMP filter chain and an additional jump to a TCP flag chain. Also the Bogons are separated into 3 lists, according to type. Any advantage to multiple smaller lists?
Previously i just allowed ICMP in the input chain and didn't worry about it. Should I?
The TCP flag filter seems legit but I never had any before. Good idea? Is using the raw chain (or any chain) a good idea for these types of filters performance wise?
I am dst-natting http(s), rtsp and a couple of service ports to an NVR and a PC that remotes to employees' home networks for application support. That is it for devices on this network. No wifi.
Are there any firewall considerations I should have in this case or should the defconf suffice?
My final question is regarding a hairpin masquerade. I need to be able to check connectivity from a web portal back to the PC from the PC. Is there a danger in doing this via a hairpin masquerade if I am literally the only PC on the subnet? Is there a better way?
The RB750 will be the gateway for the rest of the devices in the house on a second ISP. I will tackle it next as I may need some help with it too and I've rambled on long enough. I appreciate any forthcoming suggestions....router wise
Mongoid