Your rules are seriously messed up and do not contain the usual elements (established, fasttrack...) however they don't end in drop all so everything is accepted (hint: bad).
Reading your configurations:
Reading your configurations:
- I do not see any definition for the vlans in the bridge (/interface bridge vlan) of your RB4011, which could be normal if you are not using vlan-filtering.
- This NAT is problematic, you are changing the source IP to the same as the destination IPCode:
add action=masquerade chain=srcnat comment="for PiHole - Hairpin NAT" \ dst-address=192.168.0.17 dst-port=80 out-interface=vlan100 protocol=tcp \ src-address=192.168.0.0/24 to-addresses=192.168.0.17 - You have static leases bound to a server that no longer exists (search for server=*1)
- This NAT is problematic, it catches ALL NTP packets, regardlessCode:
add action=masquerade chain=srcnat comment="for Time Sync UDP 123" dst-port=\ 123 protocol=udp to-ports=12300
- Check on your router that you actually see the leases being bound to your clients
- Look at the connection table (/ip firewall connection/print) and determine if you see connections from 192.168.0.0/24 to the internet, and if so look at the detailed table to determine whether the reply-dst-address corresponds to the interface of WAN1
- If you don't see any connections from 192.168.0.0/24 in your connection table, check if your clients have the right gateway and an ARP entry for that gateway.
Statistics: Posted by vingjfg — Wed Jan 03, 2024 11:02 pm