If you use Interface list, it will be easier to navigate and there will be a correct traffic flow. You have a slightly incorrect order of firewall rules.
Good practice says that it is best to use the "drop=all" method. This means that at the end of the Input chain and forward chain, the last rules will always have drop=all. It will be more correct.
Input chain:In the Forward section, we create rules by observing the address-list entries.Do not mix input chain with Forward.
Good practice says that it is best to use the "drop=all" method. This means that at the end of the Input chain and forward chain, the last rules will always have drop=all. It will be more correct.
Input chain:
Code:
/ip firewall address-listadd address=192.168.88.0/24 list=Main-LANadd address=192.168.99.0/24 list=Guest-LANadd address=192.168.100.2-192.168.100.5 list=L2TP-VPNadd address=192.168.101.0/24 list=Other-LAN/ip firewall filteradd action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=invalidadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=accept chain=input src-address-list=Main-LAN comment="Config Access"add action=accept chain=input comment=L2TP dst-port=500,1701,4500 \ in-interface-list=WAN protocol=udpadd action=accept chain=input comment="IKE IPSec" in-interface-list=WAN \ protocol=ipsec-espadd action=accept chain=input comment="Allow LAN DNS queries-UDP" \ dst-port=53 in-interface-list=Main-LAN protocol=udpadd action=accept chain=input comment="Allow LAN DNS queries - TCP" \dst-port=53 in-interface-list=Main-LAN protocol=tcpadd action=accept chain=input comment="Allow LAN DNS queries-UDP" \ dst-port=53 in-interface-list=Guest-LAN protocol=udpadd action=accept chain=input comment="Allow LAN DNS queries - TCP" \dst-port=53 in-interface-list=Guest-LAN protocol=tcpadd action=drop chain=input comment="drop all else"Code:
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,relatedadd action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidadd action=accept chain=forward comment="allow internet traffic" in-interface-list=Main-LAN out-interface-list=WANadd action=accept chain=forward comment="allow internet traffic" in-interface-list=Guest-LAN out-interface-list=WANadd action=accept chain=forward comment=VPN dst-address-list=MAIN-LAN \ src-address-list=L2TP-VPNyour rules..................add action=accept chain=forward comment="allow dst-nat from both WAN and LAN (including port forwarding)" connection-nat-state=dstnatadd action=drop chain=forward comment="drop all else"Code:
/ip firewall natadd action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN \ src-address=192.168.88.0/24add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN \ src-address=192.168.99.0/24Statistics: Posted by johnson73 — Sat Mar 09, 2024 11:26 am