Thank you so much for your help! I cleaned up the rules and now it looks like this:
Everything seems to be working as expected:
- only machines on the allowed_to_router can access it
- removed redundant rules
- added a fix for NTP because of my crappy ISP
- I'm redirecting DNS requests from a specific list (cof cof Roku cof cof) to a pihole
- not sure if I need to keep the remove google dns from there, but I'll keep it for now.
I'm a bit confused by the counters for NAT: they show as zero for the src rules in masquerade, but without these rules, the DNS queries are not redirected. Is this expected?
Thanks a bunch again!
Code:
/ip firewall address-listadd address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4add address=8.8.8.8 comment="google DNS" list=GOOGLE_DNSadd address=8.8.4.4 comment="google DNS" list=GOOGLE_DNSadd address=192.168.10.11 comment=roku list=redirect_dnsadd address=192.168.10.7 comment=chiba list=redirect_dnsadd address=192.168.10.7 list=allowed_to_routeradd address=192.168.10.12 list=allowed_to_routeradd address=192.168.0.0/24 list=allowed_to_router/ip firewall filteradd action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment="Allow list to router" src-address-list=allowed_to_routeradd action=accept chain=input comment="Allow query DNS server in router - UDP" dst-port=53 in-interface-list=VLAN protocol=udpadd action=accept chain=input comment="Allow query DNS server in router - TCP" dst-port=53 in-interface-list=VLAN protocol=tcpadd action=drop chain=input comment=Dropadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yesadd action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untrackedadd action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WANadd action=drop chain=forward comment="Drop google DNS" dst-address-list=GOOGLE_DNS log=yes log-prefix=googlednsadd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix=fw_invalidadd action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WANadd action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4 log=yesadd action=drop chain=forward comment=Drop/ip firewall natadd action=masquerade chain=srcnat comment="fix the ntp client by changing its source port 123 with something higher (mikrotik forum 794718)" protocol=\ udp src-port=123 to-ports=12400-12440add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WANadd action=masquerade chain=srcnat dst-address=192.168.10.2 dst-port=53 log=yes log-prefix=roku_dns_src protocol=udp src-address-list=redirect_dnsadd action=masquerade chain=srcnat dst-address=192.168.10.2 dst-port=53 log=yes log-prefix=roku_dns_src protocol=tcp src-address-list=redirect_dnsadd action=dst-nat chain=dstnat dst-port=53 log-prefix=roku_dns_dst protocol=udp src-address-list=redirect_dns to-addresses=192.168.10.2 to-ports=53add action=dst-nat chain=dstnat dst-port=53 log-prefix=roku_dns_dst protocol=tcp src-address-list=redirect_dns to-addresses=192.168.10.2 to-ports=53- only machines on the allowed_to_router can access it
- removed redundant rules
- added a fix for NTP because of my crappy ISP
- I'm redirecting DNS requests from a specific list (cof cof Roku cof cof) to a pihole
- not sure if I need to keep the remove google dns from there, but I'll keep it for now.
I'm a bit confused by the counters for NAT: they show as zero for the src rules in masquerade, but without these rules, the DNS queries are not redirected. Is this expected?
Thanks a bunch again!
Statistics: Posted by tunguskalabs — Sat Feb 03, 2024 11:58 pm