(1) This open ended nonsense sourcenat rule is from the default rules........ ??
/ip firewall nat
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
(2) No idea what you are doing with these seeminlyg bogus etherports/wlan ports ????
add bridge=bridge interface=adguard
add bridge=bridge interface=unifi
(3) Forgot to tag bridge in /interface bridge vlans!!
(4) Interface member vlans are all present, no need to have bridge as an interface member, does nothing.........
It looks like at one time the bridge had its own DHCP, I noted disabled address....................
Either add another vlan if you need another subnet or get rid of all the noise.
(5) Why is this default setting still hanging about??
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
(6) BIG SECURITY MISTAKE!!!!
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=\
tcp to-addresses=10.42.30.253 to-ports=443
add action=redirect chain=dstnat comment="Intercept DNS queries UDP" \
dst-port=53 protocol=udp src-address=!10.42.0.100 to-ports=53
add action=redirect chain=dstnat comment="Intercept DNS queries TCP" \
dst-port=53 protocol=tcp src-address=!10.42.0.100 to-ports=53
In effect you are allowing the entire INTERNET to use your DNS SETUP.
Any address that is not 10.42.0.100![:-(]( "Sad")
![:-(]( "Sad")
You forgot to provide context and limits since this is aimed at your LAN side but inadvertently opened it up to LAN and WAN!!!
What you need to do / modify ASAP !!!
add action=redirect chain=dstnat comment="Intercept DNS queries UDP" \
dst-port=53 protocol=udp src-address=!10.42.0.100 to-ports=53 in-interface-list=LAN
add action=redirect chain=dstnat comment="Intercept DNS queries TCP" \
dst-port=53 protocol=tcp src-address=!10.42.0.100 to-ports=53 in-interface-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
(2) No idea what you are doing with these seeminlyg bogus etherports/wlan ports ????
add bridge=bridge interface=adguard
add bridge=bridge interface=unifi
(3) Forgot to tag bridge in /interface bridge vlans!!
(4) Interface member vlans are all present, no need to have bridge as an interface member, does nothing.........
It looks like at one time the bridge had its own DHCP, I noted disabled address....................
Either add another vlan if you need another subnet or get rid of all the noise.
(5) Why is this default setting still hanging about??
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
(6) BIG SECURITY MISTAKE!!!!
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=\
tcp to-addresses=10.42.30.253 to-ports=443
add action=redirect chain=dstnat comment="Intercept DNS queries UDP" \
dst-port=53 protocol=udp src-address=!10.42.0.100 to-ports=53
add action=redirect chain=dstnat comment="Intercept DNS queries TCP" \
dst-port=53 protocol=tcp src-address=!10.42.0.100 to-ports=53
In effect you are allowing the entire INTERNET to use your DNS SETUP.
Any address that is not 10.42.0.100
You forgot to provide context and limits since this is aimed at your LAN side but inadvertently opened it up to LAN and WAN!!!What you need to do / modify ASAP !!!
add action=redirect chain=dstnat comment="Intercept DNS queries UDP" \
dst-port=53 protocol=udp src-address=!10.42.0.100 to-ports=53 in-interface-list=LAN
add action=redirect chain=dstnat comment="Intercept DNS queries TCP" \
dst-port=53 protocol=tcp src-address=!10.42.0.100 to-ports=53 in-interface-list=LAN
Statistics: Posted by anav — Mon Jan 01, 2024 6:34 pm