![]() In the input chain if you need additional incoming traffic to the router ( like wireguard ) or you want to change the LAN rule to be more specific due that in the blue section.Īdd action=accept chain=input in-interface-list=Trusted source-address-list=Authorized Īdd comment="OOB - 192.168.178.0/24" name=loopback178Īdd comment="OpenVPN OOB Public" name=loopback778 ![]() In the forward chain if you need additional traffic between subnets or vlans, then you put those with the rules in green. Its best to stick to an allow needed traffic and use drop rule at end of both input and forward chain to block anything not wanted and dont need to know what that is cause your dropping it all!!!Īdd action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedĪdd action=drop chain=input comment="defconf: drop invalid" connection-state=invalidĪdd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpĪdd action=accept chain=input in-interface-list=LANĪdd action=drop chain=input comment="drop all else"Īdd action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,relatedĪdd action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untrackedĪdd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidĪdd action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WANĪdd action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat export file=anynameyouwish ( minus router serial # and any public WANIP information ) ![]() I am sure I don't need in-interface=core1-po12-WAN but tried it anyhow.Īdd action=accept chain=input comment="Block all access to ssh except cnet-mgmt" \Ĭonnection-state=established,related dst-port=22 in-interface=core1-po12-WAN protocol=tcp \Īdd action=accept chain=input comment="Block all access to http except cnet-mgmt" \Ĭonnection-state=established,related dst-port=80 in-interface=core1-po12-WAN protocol=tcp \Īdd action=accept chain=input comment="Block all access to winbox except cnet-mgmt" \Ĭonnection-state=established,related dst-port=8291 in-interface=core1-po12-WAN protocol=tcp \Īdd action=accept chain=input comment=OSPF connection-state=established,related in-interface=\Ĭore1-po12-WAN src-address-list=cnet-ospfĪdd action=accept chain=input comment="Sonar API SSL Login" connection-state=\Įstablished,related dst-port=8729 in-interface=core1-po12-WAN protocol=tcp \Īdd action=drop chain=input in-interface=core1-po12-WANĬant help much with only part of the config since many parts are inter related. ![]() I created an address list for networks allowed and filter to block ports but my blocking is not working. I am confused about how to block ports to the Mikrotik, like SSH, API, etc. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |