1. Concur with erlindens observation.
2. Firewall rules are a bit disorganized and after review, my big issues is the ridiculousness of allowing all vlans to the router and then after attempting to only alllow managment vlan to config router......... had a good chuckle,
I also removed this rule awaiting clarification, it makes no sense to allow an entire subnet to access management vlan.......???
add action=accept chain=forward in-interface=vlan30-house-blue out-interface=\
vlan43-mgmt
One should be on the management vlan already, but okay if not then I suggest that its one or two IP addressess that should access it not the whole subnet.
So temporarily put the rule back in but with the authorized list......
should look like......
/ip firewall address-list ( using mostly static DHCP leases )
add address=admin-IP1 list=Authorized comment="Admin desktop"
add address=admin-IP1 list=Authorized comment="Admin laptop"
add address=admin-IP1 list=Authorized comment="Admin ipad/smartphone"
add address=admin-IP4 list=Authorized comment="Admin remote wireguard IP"
/ip firewall filter
{ Input Chain }
(default rules to keep)
add action=accept chain=input comment="Allow Estab & Related & Untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
(user rules)
add action=accept chain=input src-address-list=Authorized comment="Config Access"
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \ {and NTP *** services if required etc}
dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment=Drop
{Forward Chain}
(default rules to keep)
add action=fasttrack-connection chain=forward connection-state=\
established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="Allow Estab & Related & Untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(user rules)
add action=accept chain=forward comment="VLAN Internet Access only" \
in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward src-address-list=Authorized out-interface=\
vlan43-mgmt
add action=accept chain=forward comment="DNS Parental Control" dst-address=\
10.0.30.17 dst-port=53 in-interface=vlan40-children-yellow protocol=udp
add action=accept chain=forward dst-address=10.0.30.17 dst-port=53 \
in-interface=vlan40-children-yellow protocol=tcp
add action=drop chain=forward comment=Drop log-prefix=drop_forward
2. Firewall rules are a bit disorganized and after review, my big issues is the ridiculousness of allowing all vlans to the router and then after attempting to only alllow managment vlan to config router......... had a good chuckle,
I also removed this rule awaiting clarification, it makes no sense to allow an entire subnet to access management vlan.......???
add action=accept chain=forward in-interface=vlan30-house-blue out-interface=\
vlan43-mgmt
One should be on the management vlan already, but okay if not then I suggest that its one or two IP addressess that should access it not the whole subnet.
So temporarily put the rule back in but with the authorized list......
should look like......
/ip firewall address-list ( using mostly static DHCP leases )
add address=admin-IP1 list=Authorized comment="Admin desktop"
add address=admin-IP1 list=Authorized comment="Admin laptop"
add address=admin-IP1 list=Authorized comment="Admin ipad/smartphone"
add address=admin-IP4 list=Authorized comment="Admin remote wireguard IP"
/ip firewall filter
{ Input Chain }
(default rules to keep)
add action=accept chain=input comment="Allow Estab & Related & Untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
(user rules)
add action=accept chain=input src-address-list=Authorized comment="Config Access"
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \ {and NTP *** services if required etc}
dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment=Drop
{Forward Chain}
(default rules to keep)
add action=fasttrack-connection chain=forward connection-state=\
established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="Allow Estab & Related & Untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(user rules)
add action=accept chain=forward comment="VLAN Internet Access only" \
in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward src-address-list=Authorized out-interface=\
vlan43-mgmt
add action=accept chain=forward comment="DNS Parental Control" dst-address=\
10.0.30.17 dst-port=53 in-interface=vlan40-children-yellow protocol=udp
add action=accept chain=forward dst-address=10.0.30.17 dst-port=53 \
in-interface=vlan40-children-yellow protocol=tcp
add action=drop chain=forward comment=Drop log-prefix=drop_forward
Statistics: Posted by anav — Mon Dec 25, 2023 5:43 pm