Hi everyone,
After the amazing help of @anav with my previous topicviewtopic.php?p=935867. I am now seeking your guidance once more.
One of the next steps I would like to make with my network setup is to put my ISP modem into bridge mode. Main reason is that the network connection from my Mikrotik router to the ISP seems to mess up over time, a quick reboot fixes the problem again. I was told by my ISP support that moving to a bridge mode would certainly fix this issue.
To prepare to move the setup to bridge mode I wanted to check what the current public footprint of my router was. So I ran a couple of NMAP scans from a system connected directly to my ISP modem, and found that port 53 TCP (DNS) was still opened. As I did not expect this at all I tried to look for reasons why this might be the case. The firewall is configured with a specific Deny All on the input chain, so this should not happen. I did notice that the DNS setting has "Allow Remote Requests" enabled. I searched on the forums and noticed quite a few posts regarding this topic.
I have tried to disable the "Allow Remote Requests", however it ended up screwing up DNS for all clients in the various VLANs. Additionally when I did disable it NMAP is still indicating that the port remains open. It could be that NMAP is reporting a false positive, but before I make that change to Bridge mode I would like to make sure the setup is OK.
So I have two questions:
1. From what I understand from the Mikrotik manuals this DNS option should only affect DNS requests from the outside. So why does it seems to affect the DNS inside the VLANs? Have I messed something up?
2. When I disabled the option, NMAP still indicates the port to be open. Have I misconfigured anything?
Any leads or questions to help get to the bottom is highly appreciated.
Attached the configuration of the RB5009 and CRS326, and a diagram of the network. I would like to note that the "piHole" shown on the network diagram is not there yet!