Community discussions

MikroTik App
 
User avatar
Andrew162
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Thu Mar 25, 2021 9:40 am

Firewall Rule

Fri Dec 30, 2022 5:47 pm

Hello
I got mikrotik's for arround 1y+
Like many users.. i try many "ready" firewall codes and other settings

I already found the firewall rule who make my internet super slow ( from 1000Mb/s to max 200Mb/s)

But if rule fasttrack is high in FW rules internet back to 1Gb but got issue with opening some webpages or loading some content in some app. or in game .. like i lost Some part of internet
(becaouse i still for example can move mouse with gun.. and see other players walking do somethink.... but they said im kick)(issue not showing on "Clean ISP router" or clean Mikrotik settings with very basic settings
On screen you can see fasttrack (on UP)= working 1Gb
When fasttrack is below drop invalind ( 440GiB) the internet go 200Mb max

i know some basic of FW rules but can figure out what exactly that 49 position do
its got extream big packets like see


Image
On screen that 49 position settings
Any help will be helpful
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall Rule

Fri Dec 30, 2022 7:57 pm

Sure I will clean up your firewall rules but first you have to post the config

/export file=anynameyouwish ( minus router serial # near the top, and any public WANIP information )
 
User avatar
Andrew162
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Thu Mar 25, 2021 9:40 am

Re: Firewall Rule

Fri Dec 30, 2022 8:26 pm

# dec/30/2022 19:16:22 by RouterOS 7.6rc3
# software id = 5QPU-AP8A
#
# model = RB3011UiAS
# serial number = xxx
/interface bridge
add admin-mac=xxxxxxxxx auto-mac=no comment=defconf name=bridge
add disabled=yes name=dockers
/interface ethernet
set [ find default-name=ether2 ] comment=Ultron name="Eth2 Ultron"
set [ find default-name=ether10 ] comment=Audience name=Eth10_Audience
set [ find default-name=ether1 ] advertise=1000M-full mac-address=\
    20:83:F8:72:C2:5C rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether3 ] comment=OpenMediaVault
set [ find default-name=ether6 ] comment="Camera HikVision Wew" name=\
    "ether6 - Exterminator"
set [ find default-name=ether7 ] comment=OwnCloud
set [ find default-name=ether8 ] advertise=1000M-half,1000M-full comment=\
    Unitron full-duplex=no mtu=1480
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 max-mtu=1492 name=\
    pppoe-out1 use-peer-dns=yes user=xxxxxxx
/interface veth
add address=192.168.1.30/24 gateway=192.168.1.1 name=veth1
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/container mounts
add dst=/etc/pihole name=etc_pihole src=/disk1/etc
add dst=/etc/dnsmasq.d name=dnsmasq_pihole src=/disk1/etc-dnsmasq.d
/disk
set usb1-part1 name=disk7
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MykiTiki
/ip ipsec proposal
set [ find default=yes ] disabled=yes
/ip kid-control
add name=kid1
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.200
add name=VPN_POOL ranges=192.168.10.2-192.168.10.250
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10h name=dhcp1
/port
set 0 name=serial0
/ppp profile
set *0 dns-server=192.168.1.26 remote-address=dhcp use-encryption=yes
add bridge=bridge change-tcp-mss=yes dns-server=192.168.1.30 local-address=\
    VPN_POOL name="VPN L2TP" remote-address=VPN_POOL use-encryption=yes
/queue simple
add disabled=yes name=Minecraft target=192.168.1.14/32 time=0s-0s,
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/snmp community
set [ find default=yes ] addresses=192.168.1.1/32 write-access=yes
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/container
add envlist=pihole_envsanced interface=veth1 mounts=etc_pihole,dnsmasq_pihole \
    root-dir=disk7/pihole
/container config
set ram-high=40.0MiB registry-url=https://registry-1.docker.io tmpdir=\
    disk7/pull
/container envs
add key=TZ name=pihole_envs value=Europe/Riga
add key=WEBPASSWORD name=pihole_envs value=xxx
add key=DNSMASQ_USER name=pihole_envs value=root
/dude
set data-directory=disk4 enabled=yes
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=\
    "ether6 - Exterminator"
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=\
    Eth10_Audience
add bridge=bridge ingress-filtering=no interface=ether3
add bridge=bridge ingress-filtering=no interface=ether4
add bridge=bridge ingress-filtering=no interface=ether7
add bridge=bridge ingress-filtering=no interface="Eth2 Ultron"
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge interface=veth1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set default-profile="VPN L2TP" use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=pppoe-out1 list=WAN
add comment=defconf disabled=yes interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=Andomor interface=wireguard1 \
    public-key="xxxxxxxxxxxxxxxx="
add allowed-address=0.0.0.0/0 disabled=yes interface=wireguard1 public-key=\
    "xxxxxxxxxxxxxxxxxxx="
/ip address
add address=192.168.1.1/24 comment="Glowne lacze" interface=bridge network=\
    192.168.1.0
add address=192.168.32.1/24 interface=wireguard1 network=192.168.32.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add disabled=yes interface=ether1
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.1.13 client-id=1:8:55:31:49:99:b2 mac-address=\
    08:55:31:49:99:B2 server=dhcp1
add address=192.168.1.162 comment=MyComputer mac-address=xxxxxxxxxxxx \
    server=dhcp1
add address=192.168.1.18 client-id=\
    ff:32:ca:fd:45:0:1:0:1:27:ef:a8:42:dc:a6:32:ca:fd:45 mac-address=\
    DC:A6:32:CA:FD:45 server=dhcp1
add address=192.168.1.16 client-id=1:8:55:31:3a:69:9a mac-address=\
    08:55:31:3A:69:9A server=dhcp1
add address=192.168.1.200 client-id=1:e2:24:74:aa:5:11 comment=\
    "Galaxy Tab S6 Lite" mac-address=E2:24:74:AA:05:11 server=dhcp1
add address=192.168.1.31 client-id=\
    ff:32:ca:fd:45:0:1:0:1:28:a7:e9:e2:dc:a6:32:ca:fd:45 comment=OwnCloud \
    mac-address=DC:A6:32:CA:FD:45 server=dhcp1
add address=192.168.1.22 comment=Odkurzacz mac-address=C0:E4:34:09:5A:AA \
    server=dhcp1
add address=192.168.1.10 client-id=\
    ff:74:9d:d0:31:0:2:0:0:ab:11:b3:ca:22:f:80:a7:da:f1 comment=\
    OpenMediaVault mac-address=DC:A6:32:CA:FD:BC server=dhcp1
add address=192.168.1.33 client-id=1:c0:97:27:4c:e6:fe comment="Samsung 65''" \
    mac-address=C0:97:27:4C:E6:FE server=dhcp1
add address=192.168.1.17 client-id=\
    ff:45:f1:d0:74:0:2:0:0:ab:11:51:87:28:b4:8a:ad:e4:48 mac-address=\
    DC:A6:32:8B:55:0B server=dhcp1
add address=192.168.1.14 client-id=\
    ff:45:f1:d0:74:0:2:0:0:ab:11:61:16:ce:c5:7:3:8f:d8 comment=Pinecraft \
    mac-address=DC:A6:32:8B:55:0B server=dhcp1
add address=192.168.1.26 client-id=1:dc:a6:32:ca:fd:45 comment=PiHole \
    mac-address=DC:A6:32:CA:FD:45 server=dhcp1
add address=192.168.1.160 client-id=1:f2:73:38:e8:67:55 mac-address=\
    F2:73:38:E8:67:55 server=dhcp1
add address=192.168.1.165 client-id=1:50:eb:f6:2c:5c:2c mac-address=\
    50:EB:F6:2C:5C:2C server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.30 gateway=192.168.1.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.30
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
    \_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" disabled=yes list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
    \_need this subnet before enable it" disabled=yes list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" disabled=yes list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
    \_need this subnet before enable it" disabled=yes list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    disabled=yes list=bogons
add address=e14b0d1c1468.sn.mynetname.net list=MOJADRES
add address=185.48.176.29 list="DOSTEP DO WWW"
add address=192.168.1.0/24 list="LOKALNY SUBNET"
add address=27.116.56.0/22 comment=AFGHANISTAN list=CountryIPBlocks
add address=43.230.209.0/24 comment=AFGHANISTAN list=CountryIPBlocks
add address=192.168.1.165 list="DOSTEP DO WWW"
add address=192.168.1.162 list="DOSTEP DO WWW"
add address=192.168.1.0/24 list="DOSTEP DO WWW"
add address=andomor.ddns.net list=AndomorWAN
add address=192.168.32.0/24 list="DOSTEP DO WWW"
/ip firewall filter
add action=accept chain=input comment=pozwol_wireguard dst-port=13231 \
    protocol=udp
add action=accept chain=input comment=wireguard_traffic disabled=yes \
    in-interface=pppoe-out1 src-address=192.168.32.0/24
add action=accept chain=input comment=wireguard_traffic disabled=yes \
    src-address=192.168.1.0/24
add action=drop chain=input comment="WAN PING DOSTEP" disabled=yes \
    in-interface=pppoe-out1 protocol=icmp
add action=accept chain=input comment="WAN WWW DOSTEP" dst-port=222 \
    in-interface=pppoe-out1 protocol=tcp src-address-list="DOSTEP DO WWW"
add action=accept chain=forward dst-port=5944 protocol=tcp
add action=accept chain=forward dst-port=4893 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=445 protocol=tcp
add action=accept chain=input comment="LOCAL WWW DOSTEP" disabled=yes \
    dst-port=8080 protocol=tcp src-address-list="LOKALNY SUBNET"
add action=accept chain=input comment="WAN WINBOX DOSTEP" dst-port=8291 \
    in-interface=pppoe-out1 protocol=tcp
add action=accept chain=input comment="WAN SSH DOSTEP" dst-port=226 \
    in-interface=pppoe-out1 protocol=tcp
add action=accept chain=input comment="WAN FTP DOSTEP" disabled=yes dst-port=\
    450 in-interface=pppoe-out1 protocol=tcp
add action=accept chain=forward dst-port=4893 protocol=tcp
add action=accept chain=input disabled=yes dst-port=53 in-interface=\
    pppoe-out1 protocol=udp
add action=accept chain=forward comment="Minecraft UDP" disabled=yes \
    dst-address=192.168.1.222 dst-port=25565 protocol=udp
add action=accept chain=forward comment="Minecraft TCP" disabled=yes \
    dst-address=192.168.1.134 dst-port=25565 protocol=tcp
add action=accept chain=input comment="L2TP PORTY" dst-port=500,1701,4500 \
    protocol=udp
add action=accept chain=input disabled=yes protocol=l2tp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=drop chain=input comment="Block all access to the winbox - except t\
    o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
    PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \
    src-address-list=!support
add action=accept chain=forward comment="Drop to bogon list" disabled=yes \
    dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers \
    address-list-timeout=3h chain=forward comment=\
    "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
    25,587 limit=30/1m,0:packet protocol=tcp
add action=accept chain=forward comment="Avoid spammers action" dst-port=\
    25,587 protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" disabled=yes port=53 \
    protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" disabled=yes port=53 \
    protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
    connection-state=established disabled=yes
add action=accept chain=ICMP comment=\
    "Echo request - Avoiding Ping Flood, adjust the limit as needed" \
    disabled=yes icmp-options=8:0 limit=2,5:packet protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" disabled=yes \
    icmp-options=11:0 protocol=icmp
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    disabled=yes protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" disabled=yes \
    src-address-list=Port_Scanner
add action=drop chain=forward comment="Drop to bogon list" disabled=yes \
    dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers \
    address-list-timeout=3h chain=forward comment=\
    "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
    25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept to established connections" \
    connection-state=established disabled=yes
add action=accept chain=input comment="Accept to related connections" \
    connection-state=related disabled=yes
add action=accept chain=ICMP comment=\
    "Echo request - Avoiding Ping Flood, adjust the limit as needed" \
    disabled=yes icmp-options=8:0 limit=2,5:packet protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp
add action=accept chain=input src-address=192.168.1.22
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input dst-port=13231 protocol=udp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat src-address=192.168.32.0/24
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="OpenMediaVault File explorer" \
    dst-address-list=MOJADRES dst-port=4893 protocol=tcp to-addresses=\
    192.168.1.10 to-ports=4893
add action=dst-nat chain=dstnat comment=PLEX dst-address-list=MOJADRES \
    dst-port=932 protocol=tcp to-addresses=192.168.1.10 to-ports=32400
add action=dst-nat chain=dstnat comment="Minecraft TCP" disabled=yes \
    dst-address-list=MOJADRES dst-port=25565 protocol=tcp to-addresses=\
    192.168.1.14 to-ports=25565
add action=dst-nat chain=dstnat comment=OpenMediaVault dst-address-list=\
    MOJADRES dst-port=80 protocol=tcp to-addresses=192.168.1.10 to-ports=808
add action=dst-nat chain=dstnat comment="OpenMediaVault Phone access" \
    disabled=yes dst-address-list=MOJADRES dst-port=445 protocol=tcp \
    to-addresses=192.168.1.10 to-ports=445
add action=dst-nat chain=dstnat comment="OpenMediaVault Docker" disabled=yes \
    dst-address-list=MOJADRES dst-port=3938 protocol=tcp to-addresses=\
    192.168.1.10 to-ports=3938
add action=dst-nat chain=dstnat comment=Octoprint disabled=yes \
    dst-address-list=MOJADRES dst-port=9359 protocol=tcp to-addresses=\
    192.168.1.10 to-ports=9359
add action=dst-nat chain=dstnat comment=PLEX disabled=yes dst-address-list=\
    MOJADRES dst-port=32400 protocol=tcp to-addresses=192.168.1.10 to-ports=\
    32400
add action=dst-nat chain=dstnat comment="Astronner TCP" dst-address-list=\
    MOJADRES dst-port=3074 protocol=tcp to-addresses=192.168.1.162 to-ports=\
    3074
add action=dst-nat chain=dstnat comment="Astronner UDP" disabled=yes \
    dst-address-list=MOJADRES dst-port=500 protocol=udp to-addresses=\
    192.168.1.162 to-ports=500
add action=dst-nat chain=dstnat comment="Astronner UDP" disabled=yes \
    dst-address-list=MOJADRES dst-port=88 protocol=udp to-addresses=\
    192.168.1.162 to-ports=88
add action=dst-nat chain=dstnat comment="Astronner UDP" disabled=yes \
    dst-address-list=MOJADRES dst-port=500 protocol=udp to-addresses=\
    192.168.1.162 to-ports=500
add action=dst-nat chain=dstnat comment="Astronner UDP" disabled=yes \
    dst-address-list=MOJADRES dst-port=3074 protocol=udp to-addresses=\
    192.168.1.162 to-ports=3074
add action=dst-nat chain=dstnat comment="Astronner UDP" disabled=yes \
    dst-address-list=MOJADRES dst-port=3544 protocol=udp to-addresses=\
    192.168.1.162 to-ports=3544
add action=dst-nat chain=dstnat comment="Astronner UDP" disabled=yes \
    dst-address-list=MOJADRES dst-port=4500 protocol=udp to-addresses=\
    192.168.1.162 to-ports=4500
add action=dst-nat chain=dstnat comment="Astronner UDP" dst-address-list=\
    MOJADRES dst-port=8777 protocol=udp to-addresses=192.168.1.162 to-ports=\
    8777
add action=dst-nat chain=dstnat comment="qTorrent GUI" dst-address-list=\
    AndomorWAN dst-port=5944 protocol=tcp to-addresses=192.168.1.10 to-ports=\
    5944
add action=dst-nat chain=dstnat comment="qTorrent PORT TCP" dst-address-list=\
    AndomorWAN dst-port=6881 protocol=tcp to-addresses=192.168.1.10 to-ports=\
    6881
add action=dst-nat chain=dstnat comment="qTorrent PORT UDP" dst-address-list=\
    AndomorWAN dst-port=6881 protocol=udp to-addresses=192.168.1.10 to-ports=\
    6881
add action=dst-nat chain=dstnat comment=OpenMediaVault disabled=yes \
    dst-address-list=AndomorWAN dst-port=6881 protocol=tcp to-addresses=\
    192.168.1.10 to-ports=6881
add action=dst-nat chain=dstnat comment=OpenMediaVault disabled=yes \
    dst-address-list=AndomorWAN dst-port=1234 protocol=tcp to-addresses=\
    192.168.1.10 to-ports=1234
add action=dst-nat chain=dstnat comment=OpenMediaVault disabled=yes \
    dst-address-list=AndomorWAN dst-port=8000 protocol=tcp to-addresses=\
    192.168.1.10 to-ports=8000
add action=dst-nat chain=dstnat comment=OpenMediaVault disabled=yes \
    dst-address-list=AndomorWAN dst-port=8080 protocol=tcp to-addresses=\
    192.168.1.10 to-ports=8080
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.1.30 \
    dst-port=800 protocol=tcp to-addresses=192.168.10.30 to-ports=80
add action=dst-nat chain=dstnat comment="Andomor RDP for Aster" disabled=yes \
    dst-address-list=MOJADRES dst-port=3389 protocol=tcp to-addresses=\
    192.168.1.162 to-ports=3389
add action=dst-nat chain=dstnat comment="OWNCLOUD NIE RUSZA\C6" disabled=yes \
    dst-address=192.168.1.30 dst-address-list=MOJADRES dst-port=80 protocol=\
    tcp to-addresses=192.168.1.30 to-ports=80
add action=dst-nat chain=dstnat comment="OWNCLOUD NIE RUSZA\C6" disabled=yes \
    dst-address=192.168.1.30 dst-address-list=MOJADRES dst-port=80 protocol=\
    tcp to-addresses=192.168.1.30 to-ports=80
add action=dst-nat chain=dstnat comment="OWNCLOUD NIE RUSZA\C6" disabled=yes \
    dst-address-list=MOJADRES dst-port=8000 protocol=tcp to-addresses=\
    192.168.1.10 to-ports=8000
add action=dst-nat chain=dstnat comment=OpenMediaVault disabled=yes \
    dst-address-list=MOJADRES dst-port=8080 protocol=tcp to-addresses=\
    192.168.1.10 to-ports=8080
add action=dst-nat chain=dstnat comment=OpenMediaVault disabled=yes \
    dst-address-list=MOJADRES dst-port=6881 protocol=udp to-addresses=\
    192.168.1.10 to-ports=6881
add action=dst-nat chain=dstnat comment=OpenMediaVault disabled=yes \
    dst-address-list=MOJADRES dst-port=6881 protocol=tcp to-addresses=\
    192.168.1.10 to-ports=6881
add action=dst-nat chain=dstnat comment="OWNCLOUD NIE RUSZA\C6" disabled=yes \
    dst-address-list=MOJADRES dst-port=443 protocol=tcp to-addresses=\
    192.168.1.31 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-address-list=MOJADRES \
    dst-port=200 protocol=tcp to-addresses=192.168.1.10 to-ports=200
add action=dst-nat chain=dstnat comment="dude mikrotik" disabled=yes \
    dst-port=8080 in-bridge-port-list=WAN in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.18 to-ports=8080
add action=dst-nat chain=dstnat comment="Minecraft UDP" disabled=yes \
    dst-port=25565 protocol=udp to-addresses=192.168.1.222 to-ports=25565
add action=dst-nat chain=dstnat comment="Camera Home" disabled=yes dst-port=\
    164 protocol=tcp to-addresses=192.168.1.1 to-ports=164
add action=dst-nat chain=dstnat comment=RTMP disabled=yes dst-port=1935 \
    protocol=tcp to-addresses=192.168.1.1 to-ports=1935
add action=dst-nat chain=dstnat comment=RTPS disabled=yes dst-port=555 \
    protocol=tcp to-addresses=192.168.1.1 to-ports=555
add action=dst-nat chain=dstnat comment=RTPS disabled=yes dst-port=555 \
    protocol=tcp to-addresses=192.168.1.200 to-ports=555
add action=dst-nat chain=dstnat comment="Kamera zew" disabled=yes dst-port=\
    200 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.200 \
    to-ports=463
add action=accept chain=dstnat comment="dost\C4\99p zdalny mikrotik" \
    disabled=yes dst-port=443 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.1.1 to-ports=443
add action=dst-nat chain=dstnat comment=winbox disabled=yes dst-port=8291 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.1.1 to-ports=8291
add action=dst-nat chain=dstnat comment="\?" disabled=yes in-interface-list=\
    WAN to-addresses=192.168.1.1
add action=masquerade chain=srcnat disabled=yes src-address=192.168.1.30
add action=masquerade chain=srcnat disabled=yes
/ip firewall service-port
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec policy
set 0 disabled=yes
/ip route
add comment="recznie zrobione" disabled=yes distance=2 dst-address=0.0.0.0/0 \
    gateway=pppoe-out1 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=yes target-scope=10
add disabled=yes distance=1 dst-address=192.168.1.1/32 gateway=*15 pref-src=\
    "" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
x
/ip smb
set allow-guests=no comment=WD1TB domain=AndomorSerwer
/ip smb shares
set [ find default=yes ] directory=/disk1 disabled=yes name=WD1TB
/ip smb users
set [ find default=yes ] name=xxxx
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/lcd
set default-screen=stat-slideshow time-interval=daily
/ppp secret
add name=Andrew162 profile="VPN L2TP" remote-address=192.168.1.163 service=\
    l2tp
add name=AndrewPhone profile="VPN L2TP" service=l2tp
add disabled=yes name=Tomek profile="VPN L2TP" service=l2tp
add name=TabletGalaxy profile="VPN L2TP" service=l2tp
add name=Bartek profile="VPN L2TP" service=l2tp
add disabled=yes name=Saber profile="VPN L2TP" service=l2tp
add disabled=yes name=Internet123!-secret
add disabled=yes name=Rabi profile="VPN L2TP" remote-address=192.168.1.164 \
    service=l2tp
add name=Citronex profile="VPN L2TP" remote-address=192.168.1.175 service=\
    l2tp
add name=Sandra profile="VPN L2TP" service=l2tp
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=Tikimyki
/system package update
set channel=testing
/system scheduler
add comment=xxx disabled=yes interval=30s name=NO-IP on-event=\
    p0p.ddns.net policy=read,write,test start-date=apr/21/2021 start-time=\
    09:46:44
add comment=xxxx disabled=yes interval=35s name=NO-IP on-event=\
    xxx policy=read,write,policy,test start-time=startup
add comment=ALLDDNS disabled=yes interval=10m name=NO-IP on-event=ALLDDNS \
    policy=read,write,test start-time=startup
add name=startup-beep on-event="Startup: Super Mario Bros" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=\
    startup
/system script
add dont-require-permissions=no name=andomor.ddns.net owner=admin policy=\
    read,write,test source="# No-IP automatic Dynamic DNS update\r\
    \n\r\
    \n#--------------- Change Values in this section to match your setup -----\
    -------------\r\
    \n\r\
    \n# No-IP User account info\r\
    \n:local noipuser \"xxx\"\r\
    \n:local noippass \"xxx\"\r\
    \n\r\
    \n# Set the hostname or label of network to be updated.\r\
    \n# Hostnames with spaces are unsupported. Replace the value in the quotat\
    ions below with your host names.\r\
    \n# To specify multiple hosts, separate them with commas.\r\
    \n:local noiphost \"xxx\"\r\
    \n\r\
    \n# Change to the name of interface that gets the dynamic IP address\r\
    \n:local inetinterface \"pppoe-out2\"\r\
    \n\r\
    \n#-----------------------------------------------------------------------\
    -------------\r\
    \n# No more changes need\r\
    \n\r\
    \n:global previousIP\r\
    \n\r\
    \n:if ([/interface get \$inetinterface value-name=running]) do={\r\
    \n# Get the current IP on the interface\r\
    \n   :local currentIP [/ip address get [find interface=\"\$inetinterface\"\
    \_disabled=no] address]\r\
    \n\r\
    \n# Strip the net mask off the IP address\r\
    \n   :for i from=( [:len \$currentIP] - 1) to=0 do={\r\
    \n       :if ( [:pick \$currentIP \$i] = \"/\") do={ \r\
    \n           :set currentIP [:pick \$currentIP 0 \$i]\r\
    \n       } \r\
    \n   }\r\
    \n\r\
    \n   :if (\$currentIP != \$previousIP) do={\r\
    \n       :log info \"No-IP: Current IP \$currentIP is not equal to previou\
    s IP, update needed\"\r\
    \n       :set previousIP \$currentIP\r\
    \n\r\
    \n# The update URL. Note the \"\\3F\" is hex for question mark (\?). Requi\
    red since \? is a special character in commands.\r\
    \n       :local url \"http://dynupdate.no-ip.com/nic/update\\3Fmyip=\$curr\
    entIP\"\r\
    \n       :local noiphostarray\r\
    \n       :set noiphostarray [:toarray \$noiphost]\r\
    \n       :foreach host in=\$noiphostarray do={\r\
    \n           :log info \"No-IP: Sending update for \$host\"\r\
    \n           /tool fetch url=(\$url . \"&hostname=\$host\") user=\$noipuse\
    r password=\$noippass mode=http dst-path=(\"no-ip_ddns_update-\" . \$host \
    . \".txt\")\r\
    \n           :log info \"No-IP: Host \$host updated on No-IP with IP \$cur\
    rentIP\"\r\
    \n       }\r\
    \n   }  else={\r\
    \n       :log info \"No-IP: Previous IP \$previousIP is equal to current I\
    P, no update needed\"\r\
    \n   }\r\
    \n} else={\r\
    \n   :log info \"No-IP: \$inetinterface is not currently running, so there\
    fore will not update.\"\r\
    \n}"
add dont-require-permissions=no name=owncloud owner=adminnt policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="s\
    udo nano /etc/lighttpd/lighttpd.conf\r\
    \n\r\
    \nsudo nano /var/www/owncloud/config/config.php\r\
    \n\r\
    \n/system ssh 192.168.1.31 user=root\r\
    \nxxx\r\
    \nhttps://www.avoiderrors.com/install-owncloud-on-raspberry-pi-4-2/\r\
    \nSetup USB HDD to owncloud\r\
    \n\r\
    \n\r\
    \n######overclock debian#########\r\
    \nsudo nano /boot/config.txt \r\
    \n#napiecie\r\
    \nover_voltage=-2\r\
    \n#max arm\r\
    \narm_freq=1500\r\
    \n#minimum arm\r\
    \ncore_freq=500\r\
    \ngpu-freq=600\r\
    \n\r\
    \narm_freq=2200\r\
    \ngpu_freq=750\r\
    \nover_voltage=6\r\
    \n\r\
    \n###################\r\
    \novervoltage ubuntu\r\
    \n\r\
    \nsudo nano /boot/firmware/config.txt\r\
    \nsudo nano /boot/config.txt\r\
    \n\r\
    \n\r\
    \n##########check linux version########\r\
    \ncat /etc/*release\r\
    \n#######################OMV\r\
    \n/system ssh 192.168.1.10 user=pi\r\
    \n\r\
    \npass B\r\
    \n########################\r\
    \n\r\
    \n\r\
    \n\r\
    \n/var/www/lighttpd.html\r\
    \nstrona glowna \r\
    \n\r\
    \nsudo su - strona glowna powrot"
add dont-require-permissions=no name=igor owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="H\
    ello Igor\r\
    \nHello Hermanto\r\
    \n\r\
    \nIm a tester gaming/software in Aster with many year experience\r\
    \n\r\
    \nBefore start typing about games. Some hardware requirements need to be a\
    complish depend of pc power (what license for computer/how many workstatio\
    n per PC) like USB HUB with Active power(for many workstation recomend usb\
    3.0), USB music cards\r\
    \nThe entire proces of configuring the Aster its simple like drag and drop\
    \_device to each workstation.\r\
    \nGaming.\r\
    \nFor counter stike GO -\r\
    \nhttps://www.youtube.com/watch\?v=KAGogEKn_pg\r\
    \nIts a non steam version\r\
    \nAfter correct config IP in aster which we can provide tutorial how its e\
    xactly need to be done step by step\r\
    \nYou can easily play this game on the maximum number of workstations we p\
    rovide which is 12\r\
    \nFor each workstation, I recommend 2 processor cores that can be set rigi\
    dly in Aster + SSD + GTX1080ti \r\
    \nWe cant provide exactly parametrs of computer becaouse each game provide\
    \_diffrent requirements and its depend how many Workstation will you put t\
    o each computer.\r\
    \nSo the limit of \"how many games we can launch on Aster\" its only depen\
    d how powerfull PC we got\r\
    \n\r\
    \nIn some cases we can also install game again on diffrent SSD/HDD so for \
    example 4 user Run the game from C drive SSD other 4 from D SSD - if we wa\
    nt to load games quickly and smoothly, with a large number of users.\r\
    \nPlease keep in mind that when computer launch second (for example ) Coun\
    ter strike its not \"eat\" x2 resources of PC, but arround x0.2 - x0.8 usu\
    ally its arround x0.5 becaouse no need run DLL some files twice etc.\r\
    \nFor example if we got in Counter strike 100FPS\r\
    \nand we run second Counter strike . Both users will experience arround 80\
    -90FPS /not half \r\
    \n\r\
    \nOfcors i will test all that games for you Hermanto for give you idea how\
    \_its will perform.\r\
    \nI'm also on the support team where I mainly do game support , so after t\
    he purchase, our support does not end, but vice versa. I'm always here to \
    help you.\r\
    \nI will test other games and send you results until monday.\r\
    \n\r\
    \nRegards\r\
    \nxxx\r\
    \n\r\
    \n\r\
    \n"
add dont-require-permissions=no name=Pinecraft owner=adminnt source="pi\r\
    \nB....\r\
    \n\r\
    \nscreen -ls\r\
    \npokaze co jest uruchomione\?\r\
    \n\r\
    \n#######################\r\
    \nTerminal : ssh -l pi 192.168.1.14\r\
    \np: B\r\
    \nscreen -R Pinecraft\r\
    \ntam piszemy komendy bez \" / \"\r\
    \nop Tata\r\
    \nPokaze log CLI do serwera minecrafta\r\
    \n\r\
    \nCTRL+C zapisze gre i zamknie server!!\r\
    \nsave-all zapisuje gr\EA bez wy\B3aczania jej\r\
    \n#######################\r\
    \n\r\
    \n /op [name]\r\
    \n/time set 0     =dzien\r\
    \n/say <wiadomo\9C\E6>\r\
    \n/tp [gracz] <x> <y> <z>\r\
    \nweather <typ pogody> [czas]  (clear,rain,thunder)\r\
    \nxp <ilo\9C\E6 poziom\F3w>L [gracz]\r\
    \ngive <gracz> <przedmiot> [ilo\9C\E6] [metadata] [tag danych]\r\
    \n/give @p diamond_pickaxe 1\r\
    \n\r\
    \n/xp 1400 Morsik\r\
    \n/give LordHeniek diamond 1\r\
    \n\r\
    \n####################\r\
    \nsprawdzanie temp GPU\r\
    \nvcgencmd measure_temp\r\
    \n##################\r\
    \nsprawdzanie temp CPU\r\
    \ncat /sys/class/thermal/thermal_zone0/temp\r\
    \nI podziel przez 1000\r\
    \n###################\r\
    \n\r\
    \n/save-all     zapis stani gry\r\
    \n1400 xp = 30 lvl\r\
    \n\r\
    \nPiti M\F3wi\B3 ze to jest w sam raz ( 2018-10-19 15:57)\r\
    \n\r\
    \n/tp LordHeniek Andomor    => przeteleportuje Henka do mnie\r\
    \n\r\
    \n29,5\r\
    \n\r\
    \n\r\
    \n\r\
    \n\r\
    \nSERVER BLOCZKI\r\
    \n/is home\r\
    \n/is home mag\r\
    \n/warp skup  -skupowanie\r\
    \n/warp sklep   -kupowanie\r\
    \n/zadania lista\r\
    \n/is home 100 = kopanie kamienia\r\
    \n\r\
    \n-Xmx1G -Xmn128M\r\
    \n\r\
    \nTak do pogadania Dupy kompy itp ;) (bez gejostw-tym bardziej nie ja) . C\
    zy tylko dupy szukasz\? :)\r\
    \n\r\
    \n-1208,69,330 gospodarka ludzikow\r\
    \n\r\
    \n-6590, 71, -259 misja pod wod\B9\r\
    \n\r\
    \n\r\
    \n-232, 67, 348 DOM\r\
    \n\r\
    \n\r\
    \n"
add dont-require-permissions=no name="Music: Super Mario Bros" owner=admin \
    policy=read source=":beep frequency=660 length=100ms;\
    \n:delay 150ms;\
    \n:beep frequency=660 length=100ms;\
    \n:delay 300ms;\
    \n:beep frequency=660 length=100ms;\
    \n:delay 300ms;\
    \n:beep frequency=510 length=100ms;\
    \n:delay 100ms;\
    \n:beep frequency=660 length=100ms;\
    \n:delay 300ms;\
    \n:beep frequency=770 length=100ms;\
    \n:delay 550ms;\
    \n:beep frequency=380 length=100ms;"
add dont-require-permissions=no name="Music: Thunderstruck" owner=admin \
    policy=read source=":local n11 63,66;\
    \n:local n12 64,67;\
    \n:local n21 71,69,68,69,68,66,68,64,66,63;\
    \n:local n22 64,63;\
    \n\
    \n:local n11 (\$n11,\$n11);\
    \n:local n12 (\$n12,\$n12);\
    \n:local n1 (\$n11,\$n11,\$n12,\$n12);\
    \n:local n2 (\$n21,\$n22,\$n22,\$n22);\
    \n:local notes (\$n1,\$n1,\$n2,\$n2);\
    \n  \
    \n:local ticks 2;\
    \n:local speed 55ms;\
    \n:local stacc 5ms;\
    \n# Transposition\
    \n:local transpose -48;\
    \n# ==============================\
    \n# Don't change this:\
    \n:local frqtab 8372,8869,9397,9956,10548,11175,11839,12543,13288,14080,14\
    916,15804;\
    \n:local n0; :local n;\
    \n:local d0; :local d;\
    \n:local l;\
    \n:local midi;\
    \n:local i;\
    \n:local octa;\
    \n:local frq;\
    \n:for i from=0 to= ([:len \$notes]-1) do={\
    \n:set midi [:pick \$notes \$i];\
    \n:set midi (\$midi + \$transpose);\
    \n:set octa 0;\
    \n:while ( \$midi < 60) do={:set midi (\$midi + 12); :set octa (\$octa + 1\
    \_  ); };\
    \n:set midi (\$midi - (12 * (\$midi /12)));\
    \n:set frq [:tonum [:pick \$frqtab \$midi]];\
    \n:set frq (\$frq>>(\$octa));\
    \n:set d0 \$ticks;\
    \n:set d (\$d0 * \$speed );\
    \n:set l (\$d0 * (\$speed - \$stacc));\
    \n:beep fr=\$frq le=\$l;\
    \n:delay \$d;\
    \n:set midi 59;\
    \n:set midi (\$midi + \$transpose);\
    \n:set octa 0;\
    \n:while ( \$midi < 60) do={:set midi (\$midi + 12); :set octa (\$octa + 1\
    \_  ); };\
    \n:set midi (\$midi - (12 * (\$midi /12)));\
    \n:set frq [:tonum [:pick \$frqtab \$midi]];\
    \n:set frq (\$frq>>(\$octa));\
    \n:set d0 \$ticks;\
    \n:set d (\$d0 * \$speed );\
    \n:set l (\$d0 * (\$speed - \$stacc));\
    \n:beep fr=\$frq le=\$l;\
    \n:delay \$d;\
    \n}"
add dont-require-permissions=no name="Startup: Super Mario Bros" owner=admin \
    policy=read source=\
    "delay 5;\
    \n/system script run \"Music: Super Mario Bros\";"
add dont-require-permissions=no name="Music: Imperial March  (Star Wars)" \
    owner=admin policy=read source=":beep frequency=500 length=500ms;\
    \n:delay 500ms;\
    \n:beep frequency=500 length=500ms;\
    \n:delay 500ms;\
    \n:beep frequency=500 length=500ms;\
    \n:delay 500ms;\
    \n:beep frequency=400 length=500ms;\
    \n:delay 400ms;\
    \n:beep frequency=600 length=200ms;\
    \n:delay 100ms;\
    \n:beep frequency=500 length=500ms;\
    \n:delay 500ms;\
    \n:beep frequency=400 length=500ms;\
    \n:delay 400ms;\
    \n:beep frequency=600 length=200ms;\
    \n:delay 100ms;\
    \n:beep frequency=500 length=500ms;\
    \n:delay 1000ms;\
    \n:beep frequency=750 length=500ms;\
    \n:delay 500ms;\
    \n:beep frequency=750 length=500ms;\
    \n:delay 500ms;\
    \n:beep frequency=750 length=500ms;\
    \n:delay 500ms;\
    \n:beep frequency=810 length=500ms;\
    \n:delay 400ms;\
    \n:beep frequency=600 length=200ms;\
    \n:delay 100ms;\
    \n:beep frequency=470 length=500ms;\
    \n:delay 500ms;\
    \n:beep frequency=400 length=500ms;\
    \n:delay 400ms;\
    \n:beep frequency=600 length=200ms;\
    \n:delay 100ms;\
    \n:beep frequency=500 length=500ms;\
    \n:delay 1000ms;"
add dont-require-permissions=no name="Music: Jurassic Park" owner=admin \
    policy=read source=":beep frequency=466 length=275ms;\
    \n:delay 300ms;\
    \n:beep frequency=440 length=275ms;\
    \n:delay 300ms;\
    \n:beep frequency=466 length=1775ms;\
    \n:delay 1800ms;\
    \n:beep frequency=466 length=275ms;\
    \n:delay 300ms;\
    \n:beep frequency=440 length=275ms;\
    \n:delay 300ms;\
    \n:beep frequency=466 length=1775ms;\
    \n:delay 1800ms;\
    \n:beep frequency=466 length=275ms;\
    \n:delay 300ms;\
    \n:beep frequency=440 length=275ms;\
    \n:delay 300ms;\
    \n:beep frequency=466 length=875ms;\
    \n:delay 900ms;\
    \n:beep frequency=523 length=275ms;\
    \n:delay 300ms;\
    \n:beep frequency=523 length=875ms;\
    \n:delay 900ms;\
    \n:beep frequency=622 length=275ms;\
    \n:delay 300ms;\
    \n:beep frequency=622 length=1775ms;\
    \n:delay 1800ms;\
    \n:beep frequency=587 length=275ms;\
    \n:delay 300ms;\
    \n:beep frequency=466 length=275ms;\
    \n:delay 300ms;\
    \n:beep frequency=523 length=875ms;\
    \n:delay 900ms;\
    \n:beep frequency=440 length=275ms;\
    \n:delay 300ms;\
    \n:beep frequency=349 length=575ms;\
    \n:delay 600ms;\
    \n:beep frequency=587 length=275ms;\
    \n:delay 300ms;\
    \n:beep frequency=466 length=275ms;\
    \n:delay 300ms;\
    \n:beep frequency=523 length=1775ms;\
    \n:delay 1800ms;\
    \n:beep frequency=698 length=275ms;\
    \n:delay 300ms;\
    \n:beep frequency=466 length=275ms;\
    \n:delay 300ms;\
    \n:beep frequency=622 length=875ms;\
    \n:delay 900ms;\
    \n:beep frequency=587 length=275ms;\
    \n:delay 300ms;\
    \n:beep frequency=587 length=875ms;\
    \n:delay 900ms;\
    \n:beep frequency=523 length=275ms;\
    \n:delay 300ms;\
    \n:beep frequency=523 length=3575ms;\
    \n:delay 3600ms;\
    \n:delay 600ms;\
    \n:beep frequency=466 length=275ms;\
    \n:delay 300ms;\
    \n:beep frequency=440 length=275ms;\
    \n:delay 300ms;\
    \n:beep frequency=466 length=575ms;\
    \n:delay 600ms;\
    \n:beep frequency=349 length=575ms;\
    \n:delay 600ms;\
    \n:beep frequency=311 length=575ms;\
    \n:delay 600ms;\
    \n:beep frequency=466 length=275ms;\
    \n:delay 300ms;\
    \n:beep frequency=440 length=275ms;\
    \n:delay 300ms;\
    \n:beep frequency=466 length=575ms;\
    \n:delay 600ms;\
    \n:beep frequency=349 length=575ms;\
    \n:delay 600ms;\
    \n:beep frequency=311 length=575ms;\
    \n:delay 600ms;\
    \n:beep frequency=466 length=275ms;\
    \n:delay 300ms;\
    \n:beep frequency=440 length=275ms;\
    \n:delay 300ms;\
    \n:beep frequency=440 length=275ms;\
    \n:delay 300ms;\
    \n:beep frequency=466 length=875ms;\
    \n:delay 900ms;\
    \n:beep frequency=349 length=575ms;"
add dont-require-permissions=no name="Music: Crazy Train" owner=admin policy=\
    read source=":beep frequency=370 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=370 length=175ms;\
    \n:delay 200ms;\
    \n:delay 1200ms;\
    \n:beep frequency=440 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=440 length=175ms;\
    \n:delay 200ms;\
    \n:delay 400ms;\
    \n:beep frequency=330 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=330 length=175ms;\
    \n:delay 200ms;\
    \n:delay 400ms;\
    \n:beep frequency=370 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=370 length=175ms;\
    \n:delay 200ms;\
    \n:delay 1200ms;\
    \n:beep frequency=587 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=587 length=175ms;\
    \n:delay 200ms;\
    \n:delay 400ms;\
    \n:beep frequency=330 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=330 length=175ms;\
    \n:delay 200ms;\
    \n:delay 400ms;\
    \n:beep frequency=370 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=370 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=554 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=370 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=587 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=370 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=554 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=370 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=494 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=440 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=415 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=440 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=494 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=440 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=415 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=330 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=370 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=370 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=554 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=370 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=587 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=370 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=554 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=370 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=494 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=440 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=415 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=440 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=494 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=440 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=415 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=330 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=370 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=370 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=554 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=370 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=587 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=370 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=554 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=370 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=494 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=440 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=415 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=440 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=494 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=440 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=415 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=330 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=370 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=370 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=554 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=370 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=587 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=370 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=554 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=494 length=175ms;\
    \n:delay 200ms;\
    \n:beep frequency=587 length=775ms;\
    \n:delay 800ms;\
    \n:beep frequency=330 length=775ms;\
    \n:delay 800ms;"
add dont-require-permissions=no name="Startup: Crazy Train" owner=admin \
    policy=read source="delay 5;\
    \n/system script run \"Music: Crazy Train\";"
add dont-require-permissions=no name="Startup: Thunderstruck" owner=admin \
    policy=read source=\
    "delay 5;\
    \n/system script run \"Music: Thunderstruck\";"
add dont-require-permissions=no name="Startup: Imperial March" owner=admin \
    policy=read source=\
    "delay 5;\
    \n/system script run \"Music: Imperial March  (Star Wars)\";"
add dont-require-permissions=no name="Startup: Jurassic Park" owner=admin \
    policy=read source=\
    "delay 5;\
    \n/system script run \"Music: Jurassic Park\";"
add dont-require-permissions=no name="Pihole Docker" owner=adminnt policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    interface/veth/add name=veth1 address=192.168.1.30/24 gateway=192.168.1.1\
    \r\
    \n/interface/bridge/port add bridge=bridge interface=veth1\r\
    \n/ip/firewall/nat/add chain=srcnat action=masquerade src-address=192.168.\
    1.0/24\r\
    \n/container/envs/add name=pihole_envs key=TZ value=\"Europe/Riga\"\r\
    \n/container/envs/add name=pihole_envs key=WEBPASSWORD value=\"YourPasswor\
    d\"\r\
    \n/container/envs/add name=pihole_envs key=DNSMASQ_USER value=\"root\"\r\
    \n/container/mounts/add name=etc_pihole src=disk1/etc dst=/etc/pihole\r\
    \n/container/mounts/add name=dnsmasq_pihole src=disk1/etc-dnsmasq.d dst=/e\
    tc/dnsmasq.d\r\
    \n/container/config/set registry-url=https://registry-1.docker.io tmpdir=d\
    isk1/pull\r\
    \n/container/add remote-image=pihole/pihole:latest interface=veth1 root-di\
    r=disk1/pihole mounts=dnsmasq_pihole,etc_pihole envlist=pihole_envs\r\
    \n/container/print\r\
    \n\r\
    \n/container/start 0\r\
    \n\r\
    \n#after start = wait 1 min#\r\
    \n/container/config/set ram-high=200M\r\
    \n\r\
    \n/ip firewall nat\r\
    \nadd action=dst-nat chain=dstnat dst-address=192.168.88.1 dst-port=80 pro\
    tocol=tcp to-addresses=172.17.0.2 to-ports=80"
add dont-require-permissions=no name=qBittorent owner=adminnt policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "admin\r\
    \nInternet123!"
add dont-require-permissions=no name=Octoprint owner=adminnt source="Czarna Li\
    sta\r\
    \nplugins.octoprint.org/blacklist.json\r\
    \n\r\
    \noctoprint/octoprint:latest\r\
    \n\r\
    \nStoi na porcie 80\r\
    \nPrzekierowa\E6 np 9350:80\r\
    \n"
add dont-require-permissions=no name=wireguard owner=adminnt source="ip/firewa\
    ll/filter/ add action=accept chain=input comment=\"pozw\r\
    \nol_wireguard\" dst-port=13231 protocol=udp place-before=1\r\
    \n\r\
    \n\r\
    \n\r\
    \nip firewall/filter/add action=accept chain=input comment=\"wireg\r\
    \nuard_traffic\" src-address=192.168.1.0/24 place-before=1"
/tool graphing
set page-refresh=30
/tool graphing interface
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
/tool sniffer
set streaming-server=78.8.213.193:http
My Mikrotik RB3011UiAS
Second is Audience. He work as a Wifi Only
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall Rule

Fri Dec 30, 2022 10:03 pm

(1) Would set this to NONE as known to have caused issues in the past and its usage is not understood.

/interface detect-internet
set detect-interface-list=all[/i]

(2) This could be a problem ???
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=Andomor interface=wireguard1 \
public-key="xxxxxxxxxxxxxxxx="
add allowed-address=0.0.0.0/0 disabled=yes interface=wireguard1 public-key=\
"xxxxxxxxxxxxxxxxxxx="


What is at the other end of the Wireguard connection? Is the router a client when starting the tunnel or the server??
What is the purpose of your wireguard ( who is coming in and who is going out )?
The problem is that how does the router know which peer to send traffic down if both have dst-address=0.0.0.0/0
In this case all traffic will go out the first peer and never will the second peer be used!

I see the second one is disabled so all good, but one should be aware of the issue.

(3) Sloppy config setup........... duplicate, just remove IP DHCP Client, never going to use it as pppoe is in place.
/ip dhcp-client
add disabled=yes interface=ether1
add comment=defconf disabled=yes interface=ether1


(4) You can probably get rid of this default static setting......
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan


(5) Good!!!
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
\_need this subnet before enable it" disabled=yes list=bogons

I personally do not do bogons this way if I am inclined to do them at all, really not necessary but I prefer.......
/ip route
add blackhole disabled=no dst-address=10.0.0.0/8
add blackhole disabled=no dst-address=172.16.0.0/12
add blackhole disabled=no dst-address=169.254.0.0/16

(NOTE1: add more bogon addresses as you see fit.)

I do question the loopback bogon because I know MT uses it for capsman and other functions............ its a default rule in place.

(6) Yeah, your firewall rules are not about ensuring valid traffic flows but more concerned with every crappy youtube advice to put bloatware on the router. So many duplicates, a mess!
THe MT is not an edge router device.............
I was glad to see this rule disabled because it was nonsense............
add action=accept chain=input comment=wireguard_traffic disabled=yes \
in-interface=pppoe-out1 src-address=192.168.32.0/24


This was just a dumb security risk..............never fails to astonish the bloatware folks overdue it on the useless stuff and then put big gaping holes in the default rules .......
add action=accept chain=input comment="WAN WINBOX DOSTEP" dst-port=8291 \
in-interface=pppoe-out1 protocol=tcp



Fixed............. Defaut rules in black, user rules in green.
/ip firewall filter
{input chain}
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

add action=accept chain=input comment=pozwol_wireguard dst-port=13231 \
protocol=udp
add action=accept chain=input comment="L2TP PORTY" dst-port=500,1701,4500 \
protocol=udp
add action=accept chain=input comment="allow support list access" dst-port=8291 protocol=tcp \
src-address-list=support
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment="drop all else"

{forward chain}
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid

add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"


The premise is keep most of the needed default rules, add the user traffic that needs to flow and drop all else.
Thus if you need more folks to be able to access winbox for example add them to the source list.
If users also need access to NTP services then add the appropriate user rule in the input chain.

You had way to many open ended forward chain rules, for ports or addresses which makes no sense if they are within the same Bridge/Subnet.
You may want to consider appropriate wireguard rules...................
For example
if one had incoming wireguard users for your internet
add action=accept chain=forward in-interface=wireguard1 out-interface-list=WAN

In one had users needing to go out the wireguard tunnel
add action=accept chain=forward src-address=192.168.1.0/24 out-interface=wireguard1

You can narrow it down in firewall rules to exactly who has access to what (avoid open ended rules, have coming from and going to etc.)

(7) What is the purpose of these two rules ??????..... They dont make sense to me..................
add action=masquerade chain=srcnat src-address=192.168.32.0/24
add action=masquerade chain=srcnat src-address=192.168.1.0/24


The one rule I would have before the first default rule is
add action=masquerade chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.0/24 { required hairpin nat rule if local users connect to server via WANIP }

(8) I was too lazy to go through the exercise but you can shorten your list of port forwarding rules...........
For every TCP going to IP address X, one rule,
For every UDP going to IP address X, one rule,
In other words you can list all the ports dst-ports=port1,port2,port3,port4 etc.. AS LONG AS there is no port translation. Same port coming in, same port going to IP address.

By the way no need for to-ports if same as dst-ports, ONLY required if there is port translation.


(9) This is the correct format for your destination nat rules........... " dst-address-list=MOJADRES "

Why did you then deviate ???????????
in-bridge-port-list=WAN in-interface-list=WAN ???

Then some missing any reference to the destination..........
add action=dst-nat chain=dstnat comment=RTMP ?????????? disabled=yes dst-port=1935 \
protocol=tcp to-addresses=192.168.1.1 to-ports=1935

(10) Many garbage rules floating around, keep your config clean, and keep copies on your PC for the dirty ones............
add action=accept chain=dstnat comment="dost\C4\99p zdalny mikrotik" \
disabled=yes dst-port=443 in-interface-list=WAN protocol=tcp \
to-addresses=192.168.1.1 to-ports=443
add action=dst-nat chain=dstnat comment=winbox disabled=yes dst-port=8291 \
in-interface-list=WAN protocol=tcp to-addresses=192.168.1.1 to-ports=8291
add action=dst-nat chain=dstnat comment="\?" disabled=yes in-interface-list=\
WAN to-addresses=192.168.1.1
add action=masquerade chain=srcnat disabled=yes src-address=192.168.1.30
add action=masquerade chain=srcnat disabled=yes


(11) Same goes for disabled routes, just remove.................... dont see one for wirequard traffic but likely not required depending upon requested clarity of purpose...............
 
User avatar
Andrew162
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Thu Mar 25, 2021 9:40 am

Re: Firewall Rule

Fri Dec 30, 2022 10:47 pm

1)
/interface detect-internet
set detect-interface-list=all[/i]

You are right
i correct this

2)
Wireguard is my VPN to home
So i can watch my cameras , servers, etc.
0.0.0.0/0 becaouse Phone LTE switch all the time IP so i set access to all
xxxx is ofcors some real looong Key for access

3)
My config is mix of many tutorials , my own learning from begin . Yes.. its messy :)
DHCP client is disabled.But yea.. no reason to keep it

4)
DNS need be set to 192.168.1.30 = its my pihole running on veth1 Container inside mikrotik
-and its work very good

5)
this point i dont understand
Dont know what is bogons.. its a address list .. like?

6)
Im not sure why add this entry
add blackhole disabled=no dst-address=10.0.0.0/8
add blackhole disabled=no dst-address=172.16.0.0/12
add blackhole disabled=no dst-address=169.254.0.0/16
Its will block any other subnets.. not like my?

add action=accept chain=input comment="WAN WINBOX DOSTEP" dst-port=8291 \
in-interface=pppoe-out1 protocol=tcp

I did that becaouse many times i connect to my mikrotik from work via winbox too look in the settings
or some entire configuration (working one) and copy some part to "in work" other mikrotik
Also for investigate logs and all the time "update" ,fix, improving entire config ... with small steps


add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
This entry slow down my Mikrotik exactly
But from wikipedia.. cant figure out what that exactly do

Many of entry like you see is just disabled.


I connect to my mikrotik Via smarpthone sometime... but . yea
i think i can select only my Business IP from work



...im still processing second part of your answer :)
 
User avatar
Andrew162
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Thu Mar 25, 2021 9:40 am

Re: Firewall Rule

Fri Dec 30, 2022 11:14 pm

Continue...

I got many Forward chain rules in NAT becaouse
i use a lot External servers like plex,torrent,openMediaVault, FileServer, Minecraft and other.
Some is running all the time
Some i enable and disable as need


add action=masquerade chain=srcnat src-address=192.168.32.0/24
add action=masquerade chain=srcnat src-address=192.168.1.0/24

One is for local devices
second for Wireguard

Not tottaly sure why.. but in some tutorial was that information

Some Ports.. for example eth portx Got Raspberry pi with containers or multiple servers
Thats why
Correct me if i say wrong

9) that was the test :)

10) ok i agree
11) i need learn more about routes i guess
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall Rule

Fri Dec 30, 2022 11:25 pm

Up to you want you want to do with the information.........

If you produce a cleaner version I can have a look and comment............
 
User avatar
Andrew162
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Thu Mar 25, 2021 9:40 am

Re: Firewall Rule

Fri Dec 30, 2022 11:35 pm

Up to you want you want to do with the information.........

If you produce a cleaner version I can have a look and comment............
I will clean as mach i can and send you back in next couple of days new"more fresh config"
Thank you for help
 
User avatar
Andrew162
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Thu Mar 25, 2021 9:40 am

Re: Firewall Rule

Thu Jan 05, 2023 7:32 pm

I just realized .. that at the end of my code... it's something very suspicious

/tool sniffer
set streaming-server=78.8.213.193:http
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall Rule

Thu Jan 05, 2023 10:15 pm

Why, it didnt get there by itself, you must have put it there if the only admin on the machine.
If not needed remove it.

Who is online

Users browsing this forum: Bing [Bot], erlinden and 43 guests