Hi. I am not new to Mikrotik, but I am low on the knowledge spectrum. I have attached my Frankenstein of a firewall setup. Can you identify anything here that is wrong, faulty, counterintuitive, and or redundant? I am using PPPoE from my ISP for a 10gig line. This is a home setup.
/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
/ip firewall address-list
add address=192.168.13.2-192.168.13.254 list=allowed_to_router
add address=192.168.26.2-192.168.26.254 list=allowed_to_router
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=192.168.13.0/24 comment=VL1 list=nolanip
add address=192.168.26.0/24 comment=VL1 list=nolanip
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related,untracked
add action=accept chain=forward comment="Established, Related, Untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
# add action=accept chain=forward protocol=tcp dst-port=25565 in-interface=EO-Hikari comment="Allow Minecraft server traffic"
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=EO-Hikari log=yes log-prefix=!public_from_LAN out-interface=sfp-sfpplus2-LAN
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface=EO-Hikari log=yes log-prefix=!NAT
add action=jump chain=forward protocol=icmp jump-target=icmp comment="jump to ICMP filters"
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=EO-Hikari log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=sfp-sfpplus2-LAN log=yes log-prefix=LAN_!LAN src-address-list=!not_in_internet
/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
/ip firewall address-list
add address=192.168.13.2-192.168.13.254 list=allowed_to_router
add address=192.168.26.2-192.168.26.254 list=allowed_to_router
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=192.168.13.0/24 comment=VL1 list=nolanip
add address=192.168.26.0/24 comment=VL1 list=nolanip
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related,untracked
add action=accept chain=forward comment="Established, Related, Untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
# add action=accept chain=forward protocol=tcp dst-port=25565 in-interface=EO-Hikari comment="Allow Minecraft server traffic"
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=EO-Hikari log=yes log-prefix=!public_from_LAN out-interface=sfp-sfpplus2-LAN
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface=EO-Hikari log=yes log-prefix=!NAT
add action=jump chain=forward protocol=icmp jump-target=icmp comment="jump to ICMP filters"
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=EO-Hikari log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=sfp-sfpplus2-LAN log=yes log-prefix=LAN_!LAN src-address-list=!not_in_internet
Statistics: Posted by Guccio — Wed Jan 15, 2025 10:57 am