Halo.
Please check my settings.
Thank you.
Please check my settings.
Thank you.
Code:
# 2024-02-12 18:45:17 by RouterOS 7.12# software id = 4NGD-NHR9## model = RBD53iG-5HacD2HnD# serial number = <edit>/interface bridgeadd admin-mac=AA:AA:AA:AA:AA:AA auto-mac=no comment=defconf name=bridge/interface wireguardadd listen-port=13231 mtu=1420 name=wireguard1/interface listadd comment=defconf name=WANadd comment=defconf name=LAN/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTikadd authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Prdel \ supplicant-identity=""/interface wirelessset [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \ country="czech republic" disabled=no distance=indoors frequency=2427 \ installation=indoor mode=ap-bridge security-profile=Prdel ssid=MT24 \ wireless-protocol=802.11 wps-mode=disabledset [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\ 20/40/80mhz-XXXX country="czech republic" disabled=no distance=indoors \ frequency=5260 installation=indoor mode=ap-bridge security-profile=Prdel \ ssid=MT50 wireless-protocol=802.11 wps-mode=disabled/ip pooladd name=default-dhcp ranges=192.168.88.20-192.168.88.254/ip dhcp-serveradd address-pool=default-dhcp interface=bridge lease-time=5m name=defconf/interface bridge portadd bridge=bridge comment=defconf interface=ether2add bridge=bridge comment=defconf interface=ether3add bridge=bridge comment=defconf interface=ether4add bridge=bridge comment=defconf interface=ether5add bridge=bridge comment=defconf interface=wlan1add bridge=bridge comment=defconf interface=wlan2/ip neighbor discovery-settingsset discover-interface-list=LAN/interface list memberadd comment=defconf interface=bridge list=LANadd comment=defconf interface=ether1 list=WAN/interface ovpn-server serverset auth=sha1,md5/interface wireguard peersadd allowed-address=192.168.77.2/32 comment="Mobil Jenda" interface=\ wireguard1 public-key="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa="add allowed-address=192.168.77.3/32 comment="Notebook HP" interface=\ wireguard1 public-key="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa="add allowed-address=192.168.77.4/32 comment="Mobil M\ED\9Aa" interface=\ wireguard1 public-key="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa="/ip addressadd address=192.168.88.1/24 comment=defconf interface=bridge network=\ 192.168.88.0add address=192.168.77.1/24 interface=wireguard1 network=192.168.77.0/ip dhcp-clientadd comment=defconf interface=ether1/ip dhcp-server networkadd address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\ 192.168.88.1/ip dnsset allow-remote-requests=yes servers=1.1.1.1,1.0.0.1/ip dns staticadd address=192.168.88.1 comment=defconf name=router.lan/ip firewall filteradd action=passthrough chain=comment-test comment=\ "-- SECTION -- test and info rules"add action=passthrough chain=comment-established comment=\ "-- SECTION -- established rules"add chain=forward comment="allow established forward" connection-state=\ establishedadd chain=forward comment="povol related forward" connection-state=relatedadd chain=input comment="Allow esatblished connections forward" \ connection-state=establishedadd chain=input comment="Allow related connections input" connection-state=\ relatedadd chain=output comment="Allow esatblished connections output" \ connection-state=establishedadd chain=output comment="Allow related connections output" connection-state=\ relatedadd action=passthrough chain=comment-drop comment="-- SECTION -- drop rules"add action=log chain=input comment="Drop invalid connections" \ connection-state=invalid log-prefix=drop_invalidadd action=drop chain=input comment="Drop invalid connections" \ connection-state=invalidadd action=log chain=output comment="Drop invalid connections" \ connection-state=invalid log-prefix=drop_invalidadd action=drop chain=output comment="Drop invalid connections" \ connection-state=invalidadd action=log chain=forward comment="drop all BANNED IPs" log-prefix=\ drop_banned src-address-list=all_bannedadd action=drop chain=forward comment="drop all BANNED IPs" src-address-list=\ all_bannedadd action=log chain=input comment="Block broadcasts packets" disabled=yes \ dst-address=255.255.255.255 log-prefix=255add action=drop chain=input comment="Block broadcasts packets" dst-address=\ 255.255.255.255add action=drop chain=input comment="Block broadcasts packets" \ dst-address-type=broadcast,multicastadd action=passthrough chain=comment-VOIP comment="-- SECTION -- VOIP rules"add action=passthrough chain=comment-DDOS comment=\ "-- SECTION -- block ddos rules"add action=log chain=input comment="drop ssh brute forcers for 10days" \ dst-port=22 log-prefix=drop-ssh-brute protocol=tcp src-address-list=\ ssh_blacklistadd action=drop chain=input comment="drop ssh brute forcers for 10days" \ dst-port=22 protocol=tcp src-address-list=ssh_blacklistadd action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=input comment="ssh black_list" \ connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=20m chain=input comment="ssh black_list" \ connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=10m chain=input comment="ssh black_list" \ connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=5m chain=input comment="ssh black_list" \ connection-state=new dst-port=22 protocol=tcpadd action=jump chain=forward comment=Jump_to_block-ddos disabled=yes \ dst-port=!53,514 jump-target=block-ddos protocol=udpadd action=jump chain=input comment=Jump_to_block-ddos disabled=yes dst-port=\ !53,514 jump-target=block-ddos protocol=udpadd action=return chain=block-ddos disabled=yes limit=16,32:packetadd action=log chain=block-ddos disabled=yes log-prefix=DDOS_ATTACK:add action=drop chain=block-ddos disabled=yes limit=16,32:packetadd action=jump chain=input comment=Jump_to_block-ddos disabled=yes dst-port=\ !53 jump-target=block-ddos protocol=udpadd action=passthrough chain=comment-important-basic comment=\ "-- SECTION -- important and basic rules"add action=accept chain=input dst-port=8291,22 in-interface=!ether1 protocol=\ tcpadd chain=output comment="allow router DNS queries" dst-port=53 protocol=tcpadd chain=output comment="allow router DNS queries" dst-port=53 protocol=udpadd action=accept chain=input comment="allow router DNS queries" dst-port=53 \ in-interface=!ether1 protocol=udpadd action=accept chain=input comment="allow router DNS queries" dst-port=53 \ in-interface=!ether1 protocol=tcpadd action=accept chain=forward comment="allow router DNS queries" dst-port=\ 53 in-interface=!ether1 protocol=udpadd action=accept chain=forward comment="allow router DNS queries" dst-port=\ 53 in-interface=!ether1 protocol=tcpadd chain=output comment="allow router NTP queries" dst-port=123 protocol=udpadd action=accept chain=forward comment="allow router NTP queries" dst-port=\ 123 in-interface=!ether1 protocol=udpadd chain=output comment="allow ping z routeru" protocol=icmpadd action=accept chain=forward comment="povol PING forward" in-interface=\ !ether1 protocol=icmpadd action=accept chain=input comment="povol PING input" in-interface=!ether1 \ limit=10,50:packet protocol=icmpadd action=passthrough chain=comment-VPNs comment="-- SECTION -- VPNs rules"add action=accept chain=input comment=wireguard dst-port=13231 protocol=udpadd action=accept chain=input comment=wireguard src-address=192.168.77.0/24add action=accept chain=forward comment=wireguard src-address=192.168.77.0/24add action=accept chain=input comment="allow input PPTP" disabled=yes \ dst-port=1723 protocol=tcp src-port=1024-65535add action=accept chain=input comment="allow input IPSEC" disabled=yes \ dst-port=500 protocol=udp src-port=1024-65535add action=accept chain=input comment="allow input IPSEC" disabled=yes \ dst-port=4500 protocol=udp src-port=1024-65535add action=accept chain=input comment="allow input L2TP" disabled=yes \ dst-port=1701 protocol=udp src-port=1024-65535add action=accept chain=input comment="allow input PPTP" disabled=yes \ protocol=greadd action=accept chain=input comment="allow input IPSEC-esp" disabled=yes \ protocol=ipsec-espadd action=passthrough chain=comment-PUBLIC-DMZ comment=\ "-- SECTION -- public DMZ, webserver etc rules"add action=passthrough chain=comment-INET-access comment=\ "-- SECTION -- Internet access RULES"add action=accept chain=forward comment="povolene vse z LAN" in-interface=\ bridge out-interface=ether1add chain=forward comment="povolene sluzby obecne TCP z LAN" disabled=yes \ out-interface=ether1 protocol=tcpadd chain=forward comment="povolene sluzby obecne UDP z LAN" disabled=yes \ out-interface=ether1 protocol=udp src-address-list=!servers_RANGE_vlanadd action=passthrough chain=comment-OTHER comment=\ "-- SECTION -- other rules"add action=passthrough chain=comment-DROP-FINAL comment=\ "-- SECTION -- FINAL DROPs"add action=log chain=forward comment="Drop everything all FORWARD" \ log-prefix=DROP_forwardadd action=drop chain=forward comment="Drop everything all FORWARD"add action=log chain=input comment="Drop everything all INPUT" log-prefix=\ DROP_inputadd action=drop chain=input comment="Drop everything all INPUT"add action=log chain=output comment="Drop everything all OUTPUT" log-prefix=\ DROP_outputadd action=drop chain=output comment="Drop everything all OUTPUT"/ip firewall natadd action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WAN/ip firewall service-portset sip disabled=yes/ip serviceset telnet disabled=yesset ftp disabled=yesset www disabled=yesset www-ssl disabled=noset api disabled=yesset api-ssl disabled=yes/ip upnp interfacesadd forced-ip=123.456.789.000 interface=ether1 type=externaladd interface=bridge type=internal/ipv6 firewall address-listadd address=::/128 comment="defconf: unspecified address" list=bad_ipv6add address=::1/128 comment="defconf: lo" list=bad_ipv6add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6add address=100::/64 comment="defconf: discard only " list=bad_ipv6add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6/ipv6 firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=accept chain=input comment="defconf: accept ICMPv6" protocol=\ icmpv6add action=accept chain=input comment="defconf: accept UDP traceroute" port=\ 33434-33534 protocol=udpadd action=accept chain=input comment=\ "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\ udp src-address=fe80::/10add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \ protocol=udpadd action=accept chain=input comment="defconf: accept ipsec AH" protocol=\ ipsec-ahadd action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\ ipsec-espadd action=accept chain=input comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=input comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LANadd action=accept chain=forward comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6add action=drop chain=forward comment=\ "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \ hop-limit=equal:1 protocol=icmpv6add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\ icmpv6add action=accept chain=forward comment="defconf: accept HIP" protocol=139add action=accept chain=forward comment="defconf: accept IKE" dst-port=\ 500,4500 protocol=udpadd action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\ ipsec-ahadd action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\ ipsec-espadd action=accept chain=forward comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=forward comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LAN/system clockset time-zone-name=Europe/Prague/system loggingadd topics=firewall/system noteset show-at-login=no/system ntp clientset enabled=yes/system ntp client serversadd address=0.cz.pool.ntp.orgadd address=1.cz.pool.ntp.org/tool mac-serverset allowed-interface-list=LAN/tool mac-server mac-winboxset allowed-interface-list=LANStatistics: Posted by johnudu — Mon Feb 12, 2024 7:55 pm