Allow me please ressurect this thread. :) I have simmilar issues.. only first DST-NAT rule works. all other rules are simply not working.. not even incoming packets in statistics... but as soon i add the port to the first rule, it works. :( tried to disable input filters in firewall, but no luck. :(...

as i said... with hAP AC it's working immediately even with country set. :) EDIT: after setting country and letting it as is... after exactly 10 minutes, the 5G iface comes up... so maybe the "listening" regulation is true.... but in the log on the capsman side, there is record, that 5ghz-...

no.. i have auto channel...

and i forgot to mention.. the same config works with hAP AC which I have on the same network. when i add country, it stops working. note, that 2.4GHz is workign with country set

Hi... I have cAP AC as CAP connecting to RB3011 with CAPsMAN. As soon as I enter COUNTRY to CAPsMAN configuration, the 5GHz WLAN on cAP AC will not connect. Whe removing COUNTRY, it connects and working.

When can I see the source blacklists? From where you are taking IP addresses? Can I exclude some blacklist sources?

Thanks!

PS: Are you accepting some donations? This stuff is bloody hell good.

Your firewall rules are great. Only DST-NAT is not working.... Last two filter rules needs to be modded like this: add action=drop chain=forward comment="Drop everything else on WAN1" in-interface=wan1 connection-nat-state=!dstnat add action=drop chain=forward comment="Drop everything...

Okay...the config... Central MKT (RB3011) - LAN 192.168.3.10/24, OVPN IP 10.168.3.1/24 (pool 10.168.3.2-10.168.3.254) Branch 1 MKT (hAP AC) - LAN 192.168.31.1/24, OVPN IP dynamic from pool on central, PRINTER IP: 192.168.31.3 Branch 2 MKT (hAP AC) - LAN 192.168.32.1/24, OVPN IP dynamic from pool on ...

That's why I am generating TOR exit nodes list every hour. Check my post earlier. Could you compare my lists with yours? Probably there's something to make better...on both.

yeah...that's true...but.. for me, in enterprise environment, tor should not be allowed.

Yeah, but privacy is not always secure.... in Tor there is lot of ransomware servers hidden. No connection to TOR, no encrypted disk.

I've gone ahead and started publishing my dynamic filter list for RouterOS 6.x. My server generates the list each night after collecting data on all known botnets, C&C server, and spammers. Currently the list runs about 3k entries, so it may not work well on low end routers. Here is the script ...

If you want, you can use my blacklists. Blacklists updated every hour. TOR Exit Nodes OpenBL SpamHaus DROP list DShield malc0de RSC will create address-list named "Blacklist", IP's will be commented. Duplicate IP's will be skipped, if exists. And of course, don't forget to schedule it and ...