I actually got most of it from here https://help.microtik.com/docs/display/ ... d+Firewall.
If the firewall is perhaps better, I tried to rebuild it again and sorted it:
If the firewall is perhaps better, I tried to rebuild it again and sorted it:
Code:
/interface listadd name=VLANadd name=LANadd name=WANadd name=GUESTadd name=MGTMadd name=DMZadd name=WIREGUARD/interface list memberadd interface=WAN1 list=WANadd interface=VLAN_99 list=MGTMadd interface=VLAN_100 list=LANadd interface=VLAN_300 list=DMZadd interface=VLAN_200 list=GUESTadd interface=wg0 list=WIREGUARD/ip firewall address-listadd address=10.50.99.0/24 list=MGMTadd address=10.50.50.0/24 list=LANadd address=10.50.51.0/24 list=LANadd address=10.50.52.0/24 list=DMZadd address=10.50.53.0/24 list=LANadd address=10.50.54.0/24 list=LANadd address=10.50.55.0/24 list=LANadd address=10.50.56.0/24 list=LANadd address=10.50.57.0/24 list=LANadd address=10.50.58.0/24 list=LANadd address=10.50.59.0/24 list=LANadd address=10.50.60.0/24 list=LANadd address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not_global_ipv4add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4add address=vpn01.testvpnit.de list=allowedHostsadd address=vpn02.testvpnit.de list=allowedHostsadd address=vpn03.testvpnit.de list=allowedHostsadd list=ddos-attackersadd list=ddos-targetsadd address=m.ittestvpn.de list=allowedHostsadd address=vpn.ittestvpn.de list=allowedHosts/ip firewall filteradd action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=invalidadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=LANadd action=accept chain=input port=8291 protocol=tcpadd action=add-src-to-address-list address-list=BruteForce address-list-timeout=1w chain=input connection-state=new dst-port=46821 protocol=tcp src-address-list=!allowedHostsadd action=drop chain=input dst-port=46821 protocol=tcp src-address-list=BruteForceadd action=accept chain=input dst-port=46821 protocol=tcpadd action=accept chain=input connection-state=established,relatedadd action=drop chain=input connection-state=invalidadd action=drop chain=input connection-state=newadd action=add-src-to-address-list address-list=BruteForce address-list-timeout=1w chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=!allowedHostsadd action=drop chain=input dst-port=8291 protocol=tcp src-address-list=BruteForceadd action=accept chain=input dst-port=8291 protocol=tcpadd action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=accept chain=input comment=Wireguard dst-port=40002 in-interface-list=WAN protocol=udpadd action=accept chain=input comment="Allow DNS from Wireguard Users" dst-port=53 in-interface-list=WIREGUARD protocol=udpadd action=accept chain=input comment="Allow DNS from Wireguard Users" dst-port=53 in-interface-list=WIREGUARD protocol=tcpadd action=accept chain=input comment="Allow LAN DNS queries - UDP" dst-port=53 in-interface-list=LAN protocol=udpadd action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=53 in-interface-list=LAN protocol=tcpadd action=accept chain=input comment="Allow GUEST DNS queries - UDP" dst-port=53 in-interface-list=GUEST protocol=udpadd action=accept chain=input comment="Allow GUEST DNS queries - TCP" dst-port=53 in-interface-list=GUEST protocol=tcpadd action=drop chain=input comment="Block invalid TCP packets" connection-state=invalid protocol=tcpadd action=drop chain=input comment="Block new packets that are not SYN" connection-state=new protocol=tcp tcp-flags=!synadd action=drop chain=input comment="Block unusual MSS packet values" connection-state=new protocol=tcp tcp-mss=!536-65535add action=drop chain=input comment="Block Port Scans" protocol=tcp psd=20,3s,10,2add action=drop chain=input comment="Block TCP RST Floods" limit=2,2:packet protocol=tcp tcp-flags=rstadd action=drop chain=input comment="Block ICMP Flood (Ping)" limit=!1,1:packet protocol=icmpadd action=drop chain=input comment="Block incoming from bad IPv4 addresses" src-address-list=bad_ipv4add action=drop chain=forward comment="Block forwarding from non-global IPv4" src-address-list=not_global_ipv4add action=drop chain=forward comment="Block forwarding to non-global IPv4" dst-address-list=not_global_ipv4add action=drop chain=input comment="Drop all else"add action=return chain=detect-ddos comment="Detect potential DDoS attacks" dst-limit=32,32,src-and-dst-addresses/10sadd action=add-dst-to-address-list address-list=ddos-targets address-list-timeout=10m chain=detect-ddos comment="Add potential targets to DDoS list"add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos comment="Add potential attackers to DDoS list"add action=return chain=detect-ddos comment="Detect potential DDoS attacks (SYN/ACK)" dst-limit=32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ackadd action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untrackedadd action=accept chain=forward dst-port=443 protocol=tcpadd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidadd action=accept chain=forward comment="Allow LAN to WAN internet traffic" in-interface-list=LAN out-interface-list=WANadd action=accept chain=forward comment="Allow GUEST to WAN internet traffic" dst-port=80,443 in-interface-list=GUEST out-interface-list=WAN protocol=tcpadd action=accept chain=forward comment="Allow destination NAT from WAN and LAN" connection-nat-state=dstnatadd action=drop chain=forward comment="Drop all else"add action=drop chain=output comment="Block outgoing to bad IPv4 addresses" dst-address-list=bad_ipv4/ip firewall natadd action=dst-nat chain=dstnat comment=10.50.52.2 dst-port=443 in-interface=WAN1 log=yes log-prefix=443 protocol=tcp to-addresses=10.50.52.2 to-ports=443add action=masquerade chain=srcnat comment="Masquerade for WAN access" out-interface=WAN1/ip firewall rawadd action=drop chain=prerouting comment="Block potential DDoS attacks" dst-address-list=ddos-targets src-address-list=ddos-attackers/ip firewall service-port set sip disabled=yesStatistics: Posted by dima1002 — Mon Mar 11, 2024 5:22 pm