Just in case the entire firewall configuration is needed:
/ip firewall filter
add action=accept chain=input comment="Accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid packets" connection-state=invalid
add action=accept chain=input comment="Accept ICMP (ping)" protocol=icmp
add action=accept chain=input comment="Accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input disabled=yes in-interface-list=VLAN
add action=drop chain=input comment="Only allow access to router from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="Accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="Fasttrack existing connections through firewall (no rules applied)" connection-state=established,related \
hw-offload=yes
add action=accept chain=forward comment="Accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop all from WAN not DSTNATed (block incoming connections)" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=hairpin dst-address=192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="outgoing nat" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="simplehelp tcp" dst-port=8008 in-interface-list=WAN protocol=tcp to-addresses=192.168.0.7 to-ports=8008
add action=dst-nat chain=dstnat comment="simplehelp udp" dst-port=8008 in-interface-list=WAN protocol=udp to-addresses=192.168.0.7 to-ports=8008
add action=dst-nat chain=dstnat comment=http dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.0.14 to-ports=80
add action=dst-nat chain=dstnat comment=https dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.0.14 to-ports=443
Statistics: Posted by robmaltsystems — Thu Jan 04, 2024 12:09 am