Hi,
I have a firewall. Can you please check them? Port forwarding doesn't work. Otherwise, are you sure?
I have a firewall. Can you please check them? Port forwarding doesn't work. Otherwise, are you sure?
Code:
/ip firewall address-listadd address=10.50.99.0/24 list=LAN1add address=10.50.50.0/24 list=LAN1add address=10.50.51.0/24 list=LAN1add address=10.50.52.0/24 list=LAN1add address=10.50.53.0/24 list=LAN1add address=10.50.54.0/24 list=LAN1add address=10.50.55.0/24 list=LAN1add address=10.50.56.0/24 list=LAN1add address=10.50.57.0/24 list=LAN1add address=10.50.58.0/24 list=LAN1add address=10.50.59.0/24 list=LAN1add address=10.50.60.0/24 list=LAN1add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not_global_ipv4add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4add address=vpn01.testvpn.de list=allowedHostsadd list=ddos-attackersadd list=ddos-targetsadd address=192.168.2.0/24 list=Costumeradd address=10.52.50.0/24 list=LAN3add address=192.168.133.0/24 list=LAN3add address=192.168.144.0/24 list=LAN2add address=vpn02.testvpn.de list=allowedHostsadd address=vpn03.testvpn.de list=allowedHostsadd address=10.51.50.0/24 list=LAN2/ip firewall filteradd action=drop chain=input dst-port=53 in-interface=WAN1 protocol=udpadd action=drop chain=input dst-port=53 in-interface=WAN1 protocol=tcpadd action=accept chain=input port=8291 protocol=tcp src-address=192.168.133.0/24add action=accept chain=input port=8291 protocol=tcpadd action=add-src-to-address-list address-list=BruteForce address-list-timeout=1w chain=input connection-state=new dst-port=45735 protocol=tcp src-address-list=!allowedHostsadd action=drop chain=input dst-port=45735 protocol=tcp src-address-list=BruteForceadd action=accept chain=input dst-port=45735 protocol=tcpadd action=accept chain=input connection-state=established,relatedadd action=drop chain=input connection-state=invalidadd action=drop chain=input connection-state=newadd action=add-src-to-address-list address-list=BruteForce address-list-timeout=1w chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=!allowedHostsadd action=drop chain=input dst-port=8291 protocol=tcp src-address-list=BruteForceadd action=accept chain=input dst-port=8291 protocol=tcpadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yesadd action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untrackedadd action=accept chain=forward dst-address-list=LAN3 src-address-list=LAN1add action=accept chain=forward dst-address-list=LAN1 src-address-list=LAN3add action=accept chain=forward dst-address=192.168.133.0/24 src-address=10.50.50.0/24add action=accept chain=forward dst-address=10.50.50.0/24 src-address=192.168.133.0/24add action=accept chain=forward dst-address-list=Costumer src-address=10.50.50.0/24add action=accept chain=forward dst-address=10.50.50.0/24 src-address-list=Costumeradd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidadd action=drop chain=forward comment="defconf: drop all from WAN not DSTNAT" connection-nat-state=!dstnat connection-state=new in-interface-list=WANadd action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4add action=accept chain=input comment="Allow Wireguard" dst-port=45001,53235 protocol=udpadd action=accept chain=input comment="Allow DNS from Wireguard Users" dst-port=53 in-interface=!WAN1 protocol=udpadd action=accept chain=input comment="Allow DNS from Wireguard Users" dst-port=53 in-interface=wg0 protocol=udpadd action=accept chain=forward dst-port=22 protocol=tcp src-address=10.10.10.0add action=accept chain=forward protocol=icmp src-address=10.10.10.0add action=accept chain=forward dst-address=192.168.144.0/24 src-address=10.10.10.0/31add action=accept chain=forward dst-port=443 protocol=tcpadd action=accept chain=forward comment="Allow existing and related connections" connection-state=established,relatedadd action=drop chain=forward comment="Block invalid packets" connection-state=invalidadd action=accept chain=forward comment="Allow LAN to WAN" in-interface=BRIDGE out-interface=WAN1add action=accept chain=forward comment="Allow LAN ro WAN" dst-address-list=LAN3 in-interface=wg0add action=accept chain=input comment="defconf: accept ICMP after RAW" protocol=icmpadd action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedadd action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10sadd action=add-dst-to-address-list address-list=ddos-targets address-list-timeout=10m chain=detect-ddosadd action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddosadd action=accept chain=prerouting comment="Allow established and related connections" connection-state=established,relatedadd action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ackadd action=drop chain=forward layer7-protocol=youtube log=yes log-prefix=DROP/ip firewall mangleadd action=mark-packet chain=forward comment="Mark VoIP Pakete" new-packet-mark=voip_pkt passthrough=no protocol=udp src-port=10000-20000add action=mark-packet chain=forward comment="Mark VoIP Pakete" dst-port=10000-20000 new-packet-mark=voip_pkt passthrough=no protocol=udp/ip firewall natadd action=dst-nat chain=dstnat comment=10.50.52.2 dst-port=443 in-interface=WAN1 log=yes log-prefix=443 protocol=tcp to-addresses=10.50.52.2 to-ports=443add action=masquerade chain=srcnat comment="Masquerade for WAN access" out-interface=WAN1/ip firewall rawadd action=accept chain=prerouting comment="defconf: enable for transparent firewall" log=yesadd action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv4add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv4add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_src_ipv4add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_dst_ipv4add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv4add action=drop chain=prerouting comment="defconf: drop forward to LAN lan from WAN" dst-address-list=LAN in-interface-list=WANadd action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udpadd action=jump chain=prerouting comment="defconf: jump to ICMP chain" jump-target=icmp4 protocol=icmpadd action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad_tcp log=yes protocol=tcpadd action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN log=yesadd action=accept chain=prerouting dst-address-list=LAN3 src-address-list=LAN1add action=accept chain=prerouting dst-address-list=LAN1 src-address-list=LAN3add action=accept chain=prerouting dst-address=10.50.50.0/24 src-address=192.168.133.0/24add action=accept chain=prerouting dst-address=192.168.133.0/24 src-address=10.50.50.0/24add action=accept chain=prerouting dst-address=192.168.144.0/24 src-address=10.10.10.0add action=accept chain=prerouting dst-address=192.168.133.0/24 src-address=10.50.50.0/24add action=drop chain=prerouting comment="defconf: drop the rest"add action=drop chain=prerouting comment="Block Input Bogon IPs" src-address-list=bad_src_ipv4add action=drop chain=prerouting comment="Block Output Bogon IPs" dst-address-list=bad_dst_ipv4add action=drop chain=prerouting comment="Block nicht globale IPs to WAN" in-interface-list=WAN src-address-list=not_global_ipv4add action=drop chain=prerouting comment="Block Forward to local LAN to WAN" dst-address-list=LAN1 in-interface-list=WANadd action=drop chain=prerouting comment="Block Forward to local LAN to WAN" dst-address-list=LAN2 in-interface-list=WANadd action=drop chain=prerouting comment="Block Forward to local LAN to WAN" dst-address-list=LAN3 in-interface-list=WANadd action=accept chain=prerouting comment="Allow traffic from allowed hosts" src-address-list=allowedHostsadd action=drop chain=prerouting comment="Block traffic to DDoS targets, except from allowed hosts" dst-address-list=!allowedHosts src-address-list=ddos-attackersadd action=drop chain=prerouting comment="Block traffic to DDoS targets, except from allowed hosts" dst-address-list=ddos-targets src-address-list=!allowedHostsStatistics: Posted by dima1002 — Sun Mar 10, 2024 12:42 pm