Wed Feb 21, 2024 10:49 pm
Dont know your current setup but this is the basic default rule setup with the switch done. Block all, use accept rules to add traffic to be allowed ( just before the drop all rule ). Stops vlan to vlan traffic cold.
/ip firewall filter
{Input Chain}
( default rules to keep )
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
( admin added rules )
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else" { put this rule in last, without the LAN rule above you will be locked out }
{forward chain}
( default rules to keep )
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
( admin added rules )
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN[/b]
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat[/color] { disable or remove if not required }
add action=drop chain=forward comment="drop all else"