Hello im trying to set up a mailserver en website server.
Its on a seperate vlan and im forwarding/nat port 53 udp/tcp but i cant get it to work.
On the domain hosting provider ive setup a A record thats pointing to my external wan so ns.example.com to 10.10.10.10 and an mx record with mail.example.com to ns.example.com and cname to webmail.example.com.
In the mikrotik ive forward the webmail to the mailserver with port 443 and in can acces it from outside but i cant telnet in my mailserver. Not with domainname or external ip and i also forward/nat to my mailserver with ports 25,587 ...
At the lan side i can acces avery thing with my dns server.
What could be the problem...?
Re: Bind9 server and mailserver/website
Post an export of your configuration by issuing these commands on a terminal and paste the output here:
Code: Select all
/ip export
/interface export
/ip route print
Re: Bind9 server and mailserver/website
When you're trying to access the port via the public address, are you trying this from the same network the server is on?At the lan side i can acces avery thing with my dns server.
What could be the problem...?
If so, then you need to add a hairpin nat rule. If the inside server network is 192.168.100.0/24, add this rule:
add chain=srcnat src-address=192.168.100.0/24 out-interface=ether2 action=masquerade
(where ether2 is the interface with the server network)
-
-
Silvano1980
just joined
- Posts: 14
- Joined:
Re: Bind9 server and mailserver/website
hallo if i try to connect by the public ip thene it is on a different network its not on a locallan if thats what you mean ? so for example the wan is thene telnet 55.55.55.55 25 and the server is on a 192.168.10.4 locallan
Re: Bind9 server and mailserver/website
/ip firewall export
post the results here.
(sanitize the public IP addresses if you need to, but be consistent 192.0.2.3 -> x.x.x.3 and 192.0.3.3 -> y.y.y.3 etc)
post the results here.
(sanitize the public IP addresses if you need to, but be consistent 192.0.2.3 -> x.x.x.3 and 192.0.3.3 -> y.y.y.3 etc)
-
-
Silvano1980
just joined
- Posts: 14
- Joined:
Re: Bind9 server and mailserver/website
here is ip print its a large file
IP PRINT
# dec/11/2015 20:40:53 by RouterOS 6.33.3
# software id = D6BX-R4KS
#
/ip dhcp-client option
add code=60 name=classid value=0x416d696e6f616d696e65743133306d6669737973
add code=43 name=vendor-Specific value=\
0x783033783039616d696e65743133307830347830356669737973
/ip firewall layer7-protocol
add name=speedtest-servers regexp="^.*(get|GET).+speedtest.*\$"
add name=torrent-wwws regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|ente\
rtane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitso\
up|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"
add name=torrent-dns regexp="^.+(torrent|thepiratebay|isohunt|entertane|demono\
id|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsoup|meganova|\
fulldls|btbot|fenopy|gpirate|commonbits).*\$"
add name=netflix regexp="^.*(get|GET).+(netflix).*\$"
add name=mp4 regexp="^.*(get|GET).+\\.mp4.*\$"
add name=swf regexp="^.*(get|GET).+\\.swf.*\$"
add name=flv regexp="^.*(get|GET).+\\.flv.*\$"
add name=video regexp="^.*(get|GET).+(\\.flv|\\.mp4|netflix|\\.swf).*\$"
add name=itvonline regexp="^.*(get|GET).+(itvonline).*\$"
add name=wxs regexp="^.*(get|GET).+(wxs).*\$"
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-128-cbc,aes-256-cbc \
pfs-group=none
/ip pool
add name=LanPool ranges=192.168.1.1-192.168.1.50
add name=GuestPool ranges=192.168.3.0/27
add name=VpnPool ranges=192.168.21.1-192.168.21.14
add name=ServerPool ranges=192.168.10.0/27
add name=OpenVpnPool2 ranges=192.168.30.5-192.168.30.6
add name=TvPool ranges=192.168.4.0/27
add name=VpnPoolAdmin ranges=192.168.22.1-192.168.22.14
add name=ProxyPool ranges=192.168.5.0/30
add name=OpenVpnPool1 next-pool=OpenVpnPool2 ranges=192.168.30.1-192.168.30.2
/ip address
add address=192.168.1.1/24 comment="LAN IP Subnet" interface=bridge-internet \
network=192.168.1.0
add address=192.168.3.1/27 comment="Guest Lan" interface=bridge-guest \
network=192.168.3.0
add address=192.168.10.1/27 comment="Server Lan" interface=bridge-server \
network=192.168.10.0
add address=192.168.2.250/24 comment="Phone Lan" interface=ether8 network=\
192.168.2.0
add address=192.168.4.1/27 comment=Tv interface=bridge-tv network=192.168.4.0
add address=192.168.5.1/30 interface=bridge-proxy network=192.168.5.0
/ip dhcp-server
add add-arp=yes address-pool=LanPool disabled=no interface=bridge-internet \
lease-time=3d name=dhcp1
add add-arp=yes address-pool=GuestPool disabled=no interface=bridge-guest \
lease-time=50m name=dhcp2
add add-arp=yes address-pool=ServerPool disabled=no interface=bridge-server \
lease-time=3d name=dhcp3
add address-pool=TvPool disabled=no interface=bridge-tv name=dhcp4
add address-pool=ProxyPool disabled=no interface=bridge-proxy name=dhcp5
/ip dhcp-server lease
add address=192.168.1.15 comment="Playstation 4" mac-address=\
70:9E:29:36:F5:68 server=dhcp1
add address=192.168.10.13 comment=ademco mac-address=00:18:AE:3C:70:28 \
server=dhcp3
add address=192.168.10.14 comment=UTC1806 mac-address=00:B0:19:80:D0:13 \
server=dhcp3
add address=192.168.1.12 client-id=1:28:10:7b:1e:8f:fb mac-address=\
28:10:7B:1E:8F:FB server=dhcp1
add address=192.168.10.15 client-id=1:e4:f4:c6:fd:4b:7f comment=\
"Netgear gs105e Meterkast" mac-address=E4:F4:C6:FD:4B:7F server=dhcp3
add address=192.168.1.10 client-id=1:e4:f4:c6:fd:48:6c comment=\
"Netgear gs105e TvMeubel" mac-address=E4:F4:C6:FD:48:6C server=dhcp1
add address=192.168.10.4 comment=dns mac-address=A2:0F:48:34:9E:4F server=\
dhcp3
add address=192.168.10.3 mac-address=F6:FB:56:82:61:00 server=dhcp3
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.10.4 gateway=192.168.1.1
add address=192.168.3.0/27 gateway=192.168.3.1
add address=192.168.4.0/27 gateway=192.168.4.1
add address=192.168.5.0/30 gateway=192.168.5.1
add address=192.168.10.0/27 gateway=192.168.10.1
/ip dns
set servers=192.168.10.4,208.67.220.220,208.67.222.222
/ip firewall address-list
add address=192.168.1.0/24 list=LocalLan
add address=192.168.21.0/28 list=VpnClientLan
add address=192.168.3.0/27 list=GuestLan
add address=192.168.0.0/16 list=internal-nets
add address=62.131.60.211 list=external-nets
add address=192.168.10.0/27 list=Server
add address=192.168.2.0/24 list=PhoneLan
add address=192.168.30.1-192.168.30.2 list=OpenVpnLan1
add address=192.168.30.5-192.168.30.6 list=OpenVpnLan2
add address=192.168.4.0/27 list=tvlan
add address=192.168.22.0/28 list=VpnAdmin
add address=192.168.5.0/30 list=ProxyLan
/ip firewall connection tracking
set tcp-established-timeout=1h30m
/ip firewall filter
add chain=input in-interface=pppoe protocol=icmp
add chain=input comment="Allow limited pings" limit=50/5s,2 protocol=icmp
add chain=forward comment=dns dst-address=192.168.10.4 dst-port=53 log=yes \
log-prefix=Dns protocol=tcp
add chain=forward comment=dns dst-address=192.168.10.4 dst-port=53 log=yes \
log-prefix=Dns protocol=udp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add chain=input comment=\
"Allow acces to the router from the LAN ussing a addres list" \
src-address-list=LocalLan
add chain=input comment=\
"Allow acces to the router from the Proxylan ussing a addres list" \
src-address-list=ProxyLan
add chain=input comment=\
"Allow acces to the router from the phonelan ussing a addres list" \
disabled=yes src-address-list=PhoneLan
add chain=input comment=\
"Allow acces to the router from the SERVER ussing a addres list" log=yes \
log-prefix=server src-address-list=Server
add action=drop chain=input comment="drop webfig from Guest" dst-address=\
192.168.1.1 dst-port=81 protocol=tcp src-address-list=GuestLan
add chain=input comment=\
"Allow acces to the router from the GUEST ussing a addres list" \
src-address-list=GuestLan
add chain=input comment=\
"Allow acces to the router from the OpenVpn ussing a addres list" \
src-address-list=OpenVpnLan
add chain=input comment=\
"Allow acces to the router from thetvlan ussing a addres list" \
src-address-list=tvlan
add action=drop chain=input comment="drop webfig from VpnClient" dst-address=\
192.168.1.1 dst-port=81 protocol=tcp src-address-list=VpnClientLan
add chain=input comment=\
"Allow acces to the router from the VPN ussing a addres list" \
src-address-list=VpnClientLan
add chain=input comment=\
"Allow acces to the router from the VPNAdmin ussing a addres list" \
src-address-list=VpnAdmin
add action=drop chain=forward comment="Drop invalid connections" \
connection-state=invalid
add chain=forward comment="Allow connections from the OpenVpn" \
connection-state=new src-address-list=OpenVpnLan1
add chain=forward comment="Allow connections from the OpenVpn" \
connection-state=new src-address-list=OpenVpnLan2
add chain=forward comment="Allow connections from the LAN" connection-state=\
new src-address-list=LocalLan
add chain=forward comment="Allow connections from the Proxy" \
connection-state=new src-address-list=ProxyLan
add chain=forward comment="Allow connections from the Phonelan" \
connection-state=new disabled=yes src-address-list=PhoneLan
add chain=forward comment="Allow connections from the tvlan" \
connection-state=new src-address-list=tvlan
add chain=forward comment="Allow connections from the quest" \
connection-state=new src-address-list=GuestLan
add chain=forward comment="Allow connections from the SERVER" \
connection-state=new src-address-list=Server
add chain=forward comment="Allow connections from the VPN" connection-state=\
new src-address-list=VpnClientLan
add chain=forward comment="Allow connections from the VPNAdmin" \
connection-state=new src-address-list=VpnAdmin
add chain=forward comment="Allow acces to Playstation" dst-address=\
192.168.1.15 dst-port=\
1116-1199,2001,3478,3479,3658,5165,8080,10070,27900-27901 protocol=udp
add chain=forward comment="Allow acces to Playstation" dst-address=\
192.168.1.15 dst-port=\
465,983,1116-1199,3478,3479,3480,5223,8080,9293,10070-10080,28910 \
protocol=tcp
add chain=forward comment="Allow acces to Mailserver" dst-address=\
192.168.10.3 dst-port=25,143,443,465,587,993 log=yes log-prefix=Mail \
protocol=tcp
add chain=forward comment="Guest HTTP ACCES" dst-port=80 protocol=tcp \
src-address-list=GuestLan
add chain=forward comment="Guest MAIL ACCES" dst-port=993 protocol=tcp \
src-address-list=GuestLan
add chain=forward comment="Guest MAIL ACCES" dst-port=465 protocol=tcp \
src-address-list=GuestLan
add chain=forward comment="Guest MAIL ACCES" dst-port=465 protocol=tcp \
src-address-list=GuestLan
add chain=forward comment="Guest MAIL ACCES" dst-port=25 protocol=tcp \
src-address-list=GuestLan
add chain=forward comment="Guest MAIL ACCES" dst-port=587 protocol=tcp \
src-address-list=GuestLan
add chain=forward comment="Guest DNS ACCES" dst-port=53 protocol=tcp \
src-address-list=OutGuestLan
add chain=forward comment="Guest HTTPS ACCES" dst-port=443 protocol=tcp \
src-address-list=GuestLan
add action=drop chain=forward comment="Drop connections to the LAN Subnet" \
dst-address-list=GuestLan src-address-list=LocalLan
add action=drop chain=forward comment="Drop connections to the SERVER Subnet" \
dst-address-list=GuestLan src-address-list=Server
add action=drop chain=forward comment="Guest drop rule to Lan" \
dst-address-list=LocalLan src-address-list=GuestLan
add action=drop chain=forward comment="Guest drop rule to Server" \
dst-address-list=Server src-address-list=GuestLan
add chain=forward comment="Allow established connections" connection-state=\
established
add chain=forward comment="Allow related connections" connection-state=\
related
add chain=input comment="Allow related connections to the router" \
connection-state=related
add chain=input comment="Allow established connections to the router" \
connection-state=established
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid
add chain=input comment=OpenVPN dst-port=1194 protocol=tcp
add chain=input comment="Allow VPN" connection-state=new protocol=ipsec-esp
add chain=input comment="Allow VPN" connection-state=new protocol=ipsec-ah
add chain=input comment="Allow VPN" dst-port=500,1701,4500 protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=135-139 \
protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" dst-port=135-139 \
protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 \
protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 \
protocol=udp
add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=\
tcp
add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=2283 protocol=\
tcp
add action=drop chain=virus comment="Drop Beagle" dst-port=2535 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" dst-port=2745 protocol=\
tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=3127-3128 \
protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" dst-port=3410 \
protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=udp
add action=drop chain=virus comment="Drop Sasser" dst-port=5554 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" dst-port=8866 protocol=\
tcp
add action=drop chain=virus comment="Drop Dabber.A-B" dst-port=9898 protocol=\
tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=10000 protocol=\
tcp
add action=drop chain=virus comment="Drop MyDoom.B" dst-port=10080 protocol=\
tcp
add action=drop chain=virus comment="Drop NetBus" dst-port=12345 protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" dst-port=17300 protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" dst-port=27374 protocol=\
tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" dst-port=\
65506 protocol=tcp
add action=jump chain=forward comment="jump to the virus chain" jump-target=\
virus
add action=log chain=input comment="Log everything else" log-prefix=\
"DROP INPUT"
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " log=\
yes log-prefix="port scannes to address list" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" log=yes \
log-prefix="drop scanners" src-address-list="port scanners"
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
log=yes log-prefix=ssh-stage3 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 log=\
yes log-prefix=ssh-stage2 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 log=\
yes log-prefix=SSH-stage1 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=forward comment=\
"Drop all other traffic through the router"
add action=drop chain=input comment="Drop al other traffic to the router"
/ip firewall mangle
add action=add-dst-to-address-list address-list="kpnaddres list" \
address-list-timeout=1d chain=prerouting comment="Mark kpn address list" \
content=itvonline.nl dst-port=80 protocol=tcp
add action=add-dst-to-address-list address-list="kpnaddres list" \
address-list-timeout=1d chain=prerouting comment="Mark kpn address list" \
content=wxs.nl dst-port=80 protocol=tcp
add action=add-dst-to-address-list address-list="kpnaddres list" \
address-list-timeout=1d chain=prerouting comment="Mark kpn address list" \
dst-port=80 layer7-protocol=itvonline protocol=tcp
add action=add-dst-to-address-list address-list="kpnaddres list" \
address-list-timeout=1d chain=prerouting comment="Mark kpn address list" \
dst-port=80 layer7-protocol=wxs protocol=tcp
add action=mark-routing chain=prerouting comment=Kpn dst-address-list=\
"!kpnaddres list" dst-port=80 new-routing-mark=to_proxy protocol=tcp \
src-address-list=OutLocalLan
add action=mark-routing chain=prerouting comment="Proxy Lan HTTP MARK" \
disabled=yes dst-port=80 new-routing-mark=to_proxy protocol=tcp \
src-address-list=OutLocalLan
add action=mark-routing chain=prerouting comment="Proxy Vpn HTTP MARK" \
disabled=yes dst-port=80 new-routing-mark=to_proxy protocol=tcp \
src-address-list=OutVpnLan
add action=mark-routing chain=prerouting comment="Proxy Guest HTTP MARK" \
disabled=yes dst-port=80 new-routing-mark=to_proxy protocol=tcp \
src-address-list=OutGuestLan
add action=mark-packet chain=prerouting comment=\
"internal-traffic packet mark" dst-address-list=internal-nets \
new-packet-mark=internal-traffic passthrough=no src-address-list=\
internal-nets
add action=mark-packet chain=prerouting comment="admin-in packet mark DNS" \
in-interface=pppoe new-packet-mark=admin-in passthrough=no protocol=udp \
src-port=53
add action=mark-packet chain=prerouting comment="admin-in packet mark snmp" \
dst-port=161 in-interface=pppoe new-packet-mark=admin-in passthrough=no \
protocol=udp
add action=mark-connection chain=prerouting comment=\
"Remote Protocols admin connection mark" new-connection-mark=admin port=\
20,21,22,23,3389,8291 protocol=tcp
add action=mark-connection chain=prerouting comment=\
"icmp connection mark as admin" new-connection-mark=admin protocol=icmp \
src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="admin-in packet mark" \
connection-mark=admin in-interface=pppoe new-packet-mark=admin-in \
passthrough=no
add action=mark-packet chain=prerouting comment="admin-out packet mark" \
connection-mark=admin new-packet-mark=admin-out passthrough=no
add action=mark-connection chain=prerouting comment=\
"streaming video connection mark" dst-port=80 layer7-protocol=video \
new-connection-mark=streaming-video protocol=tcp src-address-list=\
internal-nets
add action=mark-packet chain=prerouting comment=\
"streaming video in packet mark" connection-mark=streaming-video \
in-interface=pppoe new-packet-mark=streaming-video-in passthrough=no
add action=mark-packet chain=prerouting comment=\
"streaming video out packet mark" connection-mark=streaming-video \
new-packet-mark=streaming-video-out passthrough=no
add action=mark-connection chain=prerouting comment=\
"http traffic connection mark" dst-port=80,443 new-connection-mark=http \
protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="http in packet mark" \
connection-mark=http in-interface=pppoe new-packet-mark=http-in \
passthrough=no
add action=mark-packet chain=prerouting comment="http out packet mark" \
connection-mark=http new-packet-mark=http-out passthrough=no
add action=mark-connection chain=prerouting comment=\
"wow connetion mark as gaming" dst-port=\
1119,3724,6112-6114,4000,6881-6999 new-connection-mark=games protocol=tcp \
src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
"eve online connetion mark as gaming" dst-address=87.237.38.200 \
new-connection-mark=games src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
"starcraft 2 connetion mark as gaming" dst-port=1119 new-connection-mark=\
games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
"heros of newerth connetion mark as gaming" dst-port=11031,11235-11335 \
new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
"steam connetion mark as gaming" dst-port=27014-27050 \
new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
"ps3 online connetion mark as gaming" dst-port=5223 new-connection-mark=\
games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
"xbox live connetion mark as gaming" dst-port=3074 new-connection-mark=\
games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
"wii online connetion mark as gaming" dst-port=28910,29900,29901,29920 \
new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment=\
"games packet mark forever-saken-game" dst-address-list=external-nets \
new-packet-mark=games-in passthrough=no src-address-list=\
forever-saken-game
add action=mark-packet chain=prerouting comment="games packet mark wow" \
dst-address-list=external-nets new-packet-mark=games-in passthrough=no \
protocol=udp src-port=53,3724
add action=mark-packet chain=prerouting comment=\
"games packet mark starcraft2" dst-address-list=external-nets \
new-packet-mark=games-in passthrough=no protocol=udp src-port=1119,6113
add action=mark-packet chain=prerouting comment="games packet mark HoN" \
dst-address-list=external-nets new-packet-mark=games-in passthrough=no \
protocol=udp src-port=11031,11235-11335
add action=mark-packet chain=prerouting comment="games packet mark steam in" \
dst-address-list=external-nets new-packet-mark=games-in passthrough=no \
port=4380,28960,27000-27030 protocol=udp
add action=mark-packet chain=prerouting comment="games packet mark steam out" \
dst-port=53,1500,3005,3101,3478,4379-4380,4380,28960,27000-27030,28960 \
new-packet-mark=games-out passthrough=no protocol=udp src-address-list=\
internal-nets
add action=mark-packet chain=prerouting comment="games packet mark xbox live" \
dst-address-list=external-nets new-packet-mark=games-in passthrough=no \
protocol=udp src-port=88,3074,3544,4500
add action=mark-packet chain=prerouting comment=\
"games packet mark ps3 online" dst-address-list=external-nets \
new-packet-mark=games-in passthrough=no protocol=udp src-port=\
3478,3479,3658
add action=mark-packet chain=prerouting comment="games packet mark in" \
connection-mark=games dst-address-list=external-nets new-packet-mark=\
games-in passthrough=no
add action=mark-packet chain=prerouting comment="games packet mark out" \
connection-mark=games new-packet-mark=games-out passthrough=no
add action=mark-packet chain=prerouting comment=\
"voip-in packet mark teamspeak" dst-address-list=external-nets \
new-packet-mark=voip-in passthrough=no protocol=udp src-port=9987
add action=mark-packet chain=prerouting comment=\
"voip-out packet mark teamspeak" dst-port=9987 new-packet-mark=voip-out \
passthrough=no protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment=\
"voip-out packet mark teamspeak" dst-address-list=external-nets \
new-packet-mark=voip-in passthrough=no protocol=udp src-port=9987
add action=mark-packet chain=prerouting comment=\
"voip-in packet mark ventrilo" dst-address-list=external-nets \
new-packet-mark=voip-in passthrough=no protocol=udp src-port=3784
add action=mark-packet chain=prerouting comment=\
"voip-out packet mark ventrilo" dst-port=3784 new-packet-mark=voip-out \
passthrough=no protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment=\
"voip-in packet mark ventrilo" dst-address-list=external-nets \
new-packet-mark=voip-in passthrough=no protocol=tcp src-port=3784
add action=mark-packet chain=prerouting comment=\
"voip-out packet mark ventrilo" dst-port=3784 new-packet-mark=voip-out \
passthrough=no protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark RTP" \
dst-address-list=internal-nets new-packet-mark=voip-in packet-size=\
100-400 passthrough=no port=16348-32768 protocol=udp
add action=mark-packet chain=prerouting comment="voip-in packet mark SIP" \
dst-address-list=internal-nets new-packet-mark=voip-in passthrough=no \
port=5060 protocol=tcp
add action=mark-packet chain=prerouting comment="voip-out packet mark SIP" \
new-packet-mark=voip-out passthrough=no port=5060 protocol=tcp \
src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark udp SIP" \
dst-address-list=internal-nets new-packet-mark=voip-in passthrough=no \
port=5004,5060 protocol=udp
add action=mark-packet chain=prerouting comment=\
"voip-out packet mark udp SIP" new-packet-mark=voip-out passthrough=no \
port=5004,5060 protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-out packet mark RTP" \
new-packet-mark=voip-in packet-size=100-400 passthrough=no port=\
16348-32768 protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="vpn-in packet mark GRE" \
in-interface=pppoe new-packet-mark=vpn-in passthrough=no protocol=gre
add action=mark-packet chain=prerouting comment="vpn-out packet mark GRE" \
new-packet-mark=vpn-out passthrough=no protocol=gre
add action=mark-packet chain=prerouting comment="vpn-in packet mark ESP" \
in-interface=pppoe new-packet-mark=vpn-in passthrough=no protocol=\
ipsec-esp
add action=mark-packet chain=prerouting comment="vpn-out packet mark ESP" \
new-packet-mark=vpn-out passthrough=no protocol=ipsec-esp
add action=mark-packet chain=prerouting comment=\
"vpn-out packet mark VPN UDP ports" new-packet-mark=vpn-out passthrough=\
no protocol=udp src-port=500,1701,4500
add action=mark-packet chain=prerouting comment=\
"vpn-in packet mark VPN UDP ports" in-interface=pppoe new-packet-mark=\
vpn-in passthrough=no protocol=udp src-port=500,1701,4500
add action=mark-packet chain=prerouting comment="vpn-in packet mark PPTP" \
in-interface=pppoe new-packet-mark=vpn-in passthrough=no protocol=tcp \
src-port=1723
add action=mark-packet chain=prerouting comment="vpn-out packet mark PPTP" \
new-packet-mark=vpn-out passthrough=no protocol=tcp src-port=1723
add action=mark-packet chain=prerouting comment="all in" in-interface=pppoe \
new-packet-mark=in passthrough=no
add action=mark-packet chain=prerouting comment="all out" new-packet-mark=out \
passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade Server" out-interface=\
pppoe src-address-list=Server
add action=masquerade chain=srcnat comment="Masquerade ProxyLan" \
out-interface=pppoe src-address-list=ProxyLan
add action=masquerade chain=srcnat comment="Masquerade LocalLan" \
out-interface=pppoe src-address-list=LocalLan
add action=masquerade chain=srcnat comment="Masquerade GuestLan" \
out-interface=pppoe src-address-list=GuestLan
add action=masquerade chain=srcnat comment="Masquerade PhoneLan" \
dst-address-list=PhoneLan log=yes log-prefix=phone out-interface=ether8
add action=masquerade chain=srcnat comment="Masquerade VpnClient" \
out-interface=pppoe src-address-list=VpnClientLan
add action=masquerade chain=srcnat comment="Masquerade VpnAdmin" \
out-interface=pppoe src-address-list=VpnAdmin
add action=masquerade chain=srcnat comment="Masquerade OpenVpn" \
out-interface=pppoe src-address-list=OpenVpnLan1
add action=masquerade chain=srcnat comment=Masqueradetvlan out-interface=\
pppoe src-address-list=tvlan
add action=dst-nat chain=dstnat comment=openvpn dst-port=1194 protocol=tcp \
to-ports=1194
add action=dst-nat chain=dstnat comment=VPN dst-port=500 protocol=udp \
to-ports=500
add action=dst-nat chain=dstnat comment=VPN dst-port=1701 protocol=udp \
to-ports=1701
add action=dst-nat chain=dstnat comment=VPN dst-port=4500 protocol=udp \
to-ports=4500
add action=dst-nat chain=dstnat comment=mailserver dst-port=80 in-interface=\
pppoe protocol=tcp to-addresses=192.168.10.3 to-ports=80
add action=dst-nat chain=dstnat comment=mailserver dst-port=465 in-interface=\
pppoe protocol=tcp to-addresses=192.168.10.3 to-ports=80
add action=dst-nat chain=dstnat comment=mailserver dst-port=587 in-interface=\
pppoe protocol=tcp to-addresses=192.168.10.3 to-ports=80
add action=dst-nat chain=dstnat comment=mailserver dst-port=25 in-interface=\
pppoe protocol=tcp to-addresses=192.168.10.3 to-ports=80
add action=dst-nat chain=dstnat comment=mailserver dst-port=443 in-interface=\
pppoe protocol=tcp to-addresses=192.168.10.3 to-ports=443
add action=dst-nat chain=dstnat comment=nameserver dst-address=62.131.60.211 \
dst-port=53 in-interface=pppoe protocol=tcp to-addresses=192.168.10.4 \
to-ports=53
add action=dst-nat chain=dstnat comment=nameserver dst-address=62.131.60.211 \
dst-port=53 in-interface=pppoe protocol=udp to-addresses=192.168.10.4 \
to-ports=53
add action=dst-nat chain=dstnat comment=playstation4 dst-port=465 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=tcp to-addresses=\
192.168.1.15 to-ports=465
add action=dst-nat chain=dstnat comment=playstation4 dst-port=983 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=tcp to-addresses=\
192.168.1.15 to-ports=983
add action=dst-nat chain=dstnat comment=playstation4 dst-port=1116-1199 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=tcp to-addresses=\
192.168.1.15 to-ports=1116-1199
add action=dst-nat chain=dstnat comment=playstation4 dst-port=1935 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=tcp to-addresses=\
192.168.1.15 to-ports=1935
add action=dst-nat chain=dstnat comment=playstation4 dst-port=3478-3480 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=tcp to-addresses=\
192.168.1.15 to-ports=3478-3480
add action=dst-nat chain=dstnat comment=playstation4 dst-port=5223 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=tcp to-addresses=\
192.168.1.15 to-ports=5223
add action=dst-nat chain=dstnat comment=playstation4 dst-port=8080 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=tcp to-addresses=\
192.168.1.15 to-ports=8080
add action=dst-nat chain=dstnat comment=playstation4 dst-port=9293 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=tcp to-addresses=\
192.168.1.15 to-ports=9293
add action=dst-nat chain=dstnat comment=playstation4 dst-port=10070-10080 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=tcp to-addresses=\
192.168.1.15 to-ports=10070-10080
add action=dst-nat chain=dstnat comment=playstation4 dst-port=28910 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=tcp to-addresses=\
192.168.1.15 to-ports=28910
add action=dst-nat chain=dstnat comment=playstation4 dst-port=1116-1199 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=udp to-addresses=\
192.168.1.15 to-ports=1116-1199
add action=dst-nat chain=dstnat comment=playstation4 dst-port=3074 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=udp to-addresses=\
192.168.1.15 to-ports=3074
add action=dst-nat chain=dstnat comment=playstation4 dst-port=3478-3479 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=udp to-addresses=\
192.168.1.15 to-ports=3478-3479
add action=dst-nat chain=dstnat comment=playstation4 dst-port=3658 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=udp to-addresses=\
192.168.1.15 to-ports=3658
add action=dst-nat chain=dstnat comment=playstation4 dst-port=5165 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=udp to-addresses=\
192.168.1.15 to-ports=5165
add action=dst-nat chain=dstnat comment=playstation4 dst-port=8080 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=udp to-addresses=\
192.168.1.15 to-ports=8080
add action=dst-nat chain=dstnat comment=playstation4 dst-port=9308 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=udp to-addresses=\
192.168.1.15 to-ports=9308
add action=dst-nat chain=dstnat comment=playstation4 dst-port=2001 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=udp to-addresses=\
192.168.1.15 to-ports=9308
add action=dst-nat chain=dstnat comment=playstation4 dst-port=10070 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=udp to-addresses=\
192.168.1.15 to-ports=10070
add action=dst-nat chain=dstnat comment=playstation4 dst-port=27900-27901 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=udp to-addresses=\
192.168.1.15 to-ports=27900-27901
/ip firewall service-port
set ftp disabled=yes
/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=3des exchange-mode=main-l2tp \
generate-policy=port-override local-address=0.0.0.0 secret=dVz6JF
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip proxy
set cache-path=web-proxy1
/ip route
add check-gateway=ping disabled=yes distance=1 gateway=192.168.10.4 \
routing-mark=to_proxy
add disabled=yes distance=10 gateway=pppoe routing-mark=to_proxy
add check-gateway=ping disabled=yes distance=1 gateway=pppoe routing-mark=kpn
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=81
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set show-dummy-rule=no
IP PRINT
# dec/11/2015 20:40:53 by RouterOS 6.33.3
# software id = D6BX-R4KS
#
/ip dhcp-client option
add code=60 name=classid value=0x416d696e6f616d696e65743133306d6669737973
add code=43 name=vendor-Specific value=\
0x783033783039616d696e65743133307830347830356669737973
/ip firewall layer7-protocol
add name=speedtest-servers regexp="^.*(get|GET).+speedtest.*\$"
add name=torrent-wwws regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|ente\
rtane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitso\
up|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"
add name=torrent-dns regexp="^.+(torrent|thepiratebay|isohunt|entertane|demono\
id|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsoup|meganova|\
fulldls|btbot|fenopy|gpirate|commonbits).*\$"
add name=netflix regexp="^.*(get|GET).+(netflix).*\$"
add name=mp4 regexp="^.*(get|GET).+\\.mp4.*\$"
add name=swf regexp="^.*(get|GET).+\\.swf.*\$"
add name=flv regexp="^.*(get|GET).+\\.flv.*\$"
add name=video regexp="^.*(get|GET).+(\\.flv|\\.mp4|netflix|\\.swf).*\$"
add name=itvonline regexp="^.*(get|GET).+(itvonline).*\$"
add name=wxs regexp="^.*(get|GET).+(wxs).*\$"
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-128-cbc,aes-256-cbc \
pfs-group=none
/ip pool
add name=LanPool ranges=192.168.1.1-192.168.1.50
add name=GuestPool ranges=192.168.3.0/27
add name=VpnPool ranges=192.168.21.1-192.168.21.14
add name=ServerPool ranges=192.168.10.0/27
add name=OpenVpnPool2 ranges=192.168.30.5-192.168.30.6
add name=TvPool ranges=192.168.4.0/27
add name=VpnPoolAdmin ranges=192.168.22.1-192.168.22.14
add name=ProxyPool ranges=192.168.5.0/30
add name=OpenVpnPool1 next-pool=OpenVpnPool2 ranges=192.168.30.1-192.168.30.2
/ip address
add address=192.168.1.1/24 comment="LAN IP Subnet" interface=bridge-internet \
network=192.168.1.0
add address=192.168.3.1/27 comment="Guest Lan" interface=bridge-guest \
network=192.168.3.0
add address=192.168.10.1/27 comment="Server Lan" interface=bridge-server \
network=192.168.10.0
add address=192.168.2.250/24 comment="Phone Lan" interface=ether8 network=\
192.168.2.0
add address=192.168.4.1/27 comment=Tv interface=bridge-tv network=192.168.4.0
add address=192.168.5.1/30 interface=bridge-proxy network=192.168.5.0
/ip dhcp-server
add add-arp=yes address-pool=LanPool disabled=no interface=bridge-internet \
lease-time=3d name=dhcp1
add add-arp=yes address-pool=GuestPool disabled=no interface=bridge-guest \
lease-time=50m name=dhcp2
add add-arp=yes address-pool=ServerPool disabled=no interface=bridge-server \
lease-time=3d name=dhcp3
add address-pool=TvPool disabled=no interface=bridge-tv name=dhcp4
add address-pool=ProxyPool disabled=no interface=bridge-proxy name=dhcp5
/ip dhcp-server lease
add address=192.168.1.15 comment="Playstation 4" mac-address=\
70:9E:29:36:F5:68 server=dhcp1
add address=192.168.10.13 comment=ademco mac-address=00:18:AE:3C:70:28 \
server=dhcp3
add address=192.168.10.14 comment=UTC1806 mac-address=00:B0:19:80:D0:13 \
server=dhcp3
add address=192.168.1.12 client-id=1:28:10:7b:1e:8f:fb mac-address=\
28:10:7B:1E:8F:FB server=dhcp1
add address=192.168.10.15 client-id=1:e4:f4:c6:fd:4b:7f comment=\
"Netgear gs105e Meterkast" mac-address=E4:F4:C6:FD:4B:7F server=dhcp3
add address=192.168.1.10 client-id=1:e4:f4:c6:fd:48:6c comment=\
"Netgear gs105e TvMeubel" mac-address=E4:F4:C6:FD:48:6C server=dhcp1
add address=192.168.10.4 comment=dns mac-address=A2:0F:48:34:9E:4F server=\
dhcp3
add address=192.168.10.3 mac-address=F6:FB:56:82:61:00 server=dhcp3
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.10.4 gateway=192.168.1.1
add address=192.168.3.0/27 gateway=192.168.3.1
add address=192.168.4.0/27 gateway=192.168.4.1
add address=192.168.5.0/30 gateway=192.168.5.1
add address=192.168.10.0/27 gateway=192.168.10.1
/ip dns
set servers=192.168.10.4,208.67.220.220,208.67.222.222
/ip firewall address-list
add address=192.168.1.0/24 list=LocalLan
add address=192.168.21.0/28 list=VpnClientLan
add address=192.168.3.0/27 list=GuestLan
add address=192.168.0.0/16 list=internal-nets
add address=62.131.60.211 list=external-nets
add address=192.168.10.0/27 list=Server
add address=192.168.2.0/24 list=PhoneLan
add address=192.168.30.1-192.168.30.2 list=OpenVpnLan1
add address=192.168.30.5-192.168.30.6 list=OpenVpnLan2
add address=192.168.4.0/27 list=tvlan
add address=192.168.22.0/28 list=VpnAdmin
add address=192.168.5.0/30 list=ProxyLan
/ip firewall connection tracking
set tcp-established-timeout=1h30m
/ip firewall filter
add chain=input in-interface=pppoe protocol=icmp
add chain=input comment="Allow limited pings" limit=50/5s,2 protocol=icmp
add chain=forward comment=dns dst-address=192.168.10.4 dst-port=53 log=yes \
log-prefix=Dns protocol=tcp
add chain=forward comment=dns dst-address=192.168.10.4 dst-port=53 log=yes \
log-prefix=Dns protocol=udp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add chain=input comment=\
"Allow acces to the router from the LAN ussing a addres list" \
src-address-list=LocalLan
add chain=input comment=\
"Allow acces to the router from the Proxylan ussing a addres list" \
src-address-list=ProxyLan
add chain=input comment=\
"Allow acces to the router from the phonelan ussing a addres list" \
disabled=yes src-address-list=PhoneLan
add chain=input comment=\
"Allow acces to the router from the SERVER ussing a addres list" log=yes \
log-prefix=server src-address-list=Server
add action=drop chain=input comment="drop webfig from Guest" dst-address=\
192.168.1.1 dst-port=81 protocol=tcp src-address-list=GuestLan
add chain=input comment=\
"Allow acces to the router from the GUEST ussing a addres list" \
src-address-list=GuestLan
add chain=input comment=\
"Allow acces to the router from the OpenVpn ussing a addres list" \
src-address-list=OpenVpnLan
add chain=input comment=\
"Allow acces to the router from thetvlan ussing a addres list" \
src-address-list=tvlan
add action=drop chain=input comment="drop webfig from VpnClient" dst-address=\
192.168.1.1 dst-port=81 protocol=tcp src-address-list=VpnClientLan
add chain=input comment=\
"Allow acces to the router from the VPN ussing a addres list" \
src-address-list=VpnClientLan
add chain=input comment=\
"Allow acces to the router from the VPNAdmin ussing a addres list" \
src-address-list=VpnAdmin
add action=drop chain=forward comment="Drop invalid connections" \
connection-state=invalid
add chain=forward comment="Allow connections from the OpenVpn" \
connection-state=new src-address-list=OpenVpnLan1
add chain=forward comment="Allow connections from the OpenVpn" \
connection-state=new src-address-list=OpenVpnLan2
add chain=forward comment="Allow connections from the LAN" connection-state=\
new src-address-list=LocalLan
add chain=forward comment="Allow connections from the Proxy" \
connection-state=new src-address-list=ProxyLan
add chain=forward comment="Allow connections from the Phonelan" \
connection-state=new disabled=yes src-address-list=PhoneLan
add chain=forward comment="Allow connections from the tvlan" \
connection-state=new src-address-list=tvlan
add chain=forward comment="Allow connections from the quest" \
connection-state=new src-address-list=GuestLan
add chain=forward comment="Allow connections from the SERVER" \
connection-state=new src-address-list=Server
add chain=forward comment="Allow connections from the VPN" connection-state=\
new src-address-list=VpnClientLan
add chain=forward comment="Allow connections from the VPNAdmin" \
connection-state=new src-address-list=VpnAdmin
add chain=forward comment="Allow acces to Playstation" dst-address=\
192.168.1.15 dst-port=\
1116-1199,2001,3478,3479,3658,5165,8080,10070,27900-27901 protocol=udp
add chain=forward comment="Allow acces to Playstation" dst-address=\
192.168.1.15 dst-port=\
465,983,1116-1199,3478,3479,3480,5223,8080,9293,10070-10080,28910 \
protocol=tcp
add chain=forward comment="Allow acces to Mailserver" dst-address=\
192.168.10.3 dst-port=25,143,443,465,587,993 log=yes log-prefix=Mail \
protocol=tcp
add chain=forward comment="Guest HTTP ACCES" dst-port=80 protocol=tcp \
src-address-list=GuestLan
add chain=forward comment="Guest MAIL ACCES" dst-port=993 protocol=tcp \
src-address-list=GuestLan
add chain=forward comment="Guest MAIL ACCES" dst-port=465 protocol=tcp \
src-address-list=GuestLan
add chain=forward comment="Guest MAIL ACCES" dst-port=465 protocol=tcp \
src-address-list=GuestLan
add chain=forward comment="Guest MAIL ACCES" dst-port=25 protocol=tcp \
src-address-list=GuestLan
add chain=forward comment="Guest MAIL ACCES" dst-port=587 protocol=tcp \
src-address-list=GuestLan
add chain=forward comment="Guest DNS ACCES" dst-port=53 protocol=tcp \
src-address-list=OutGuestLan
add chain=forward comment="Guest HTTPS ACCES" dst-port=443 protocol=tcp \
src-address-list=GuestLan
add action=drop chain=forward comment="Drop connections to the LAN Subnet" \
dst-address-list=GuestLan src-address-list=LocalLan
add action=drop chain=forward comment="Drop connections to the SERVER Subnet" \
dst-address-list=GuestLan src-address-list=Server
add action=drop chain=forward comment="Guest drop rule to Lan" \
dst-address-list=LocalLan src-address-list=GuestLan
add action=drop chain=forward comment="Guest drop rule to Server" \
dst-address-list=Server src-address-list=GuestLan
add chain=forward comment="Allow established connections" connection-state=\
established
add chain=forward comment="Allow related connections" connection-state=\
related
add chain=input comment="Allow related connections to the router" \
connection-state=related
add chain=input comment="Allow established connections to the router" \
connection-state=established
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid
add chain=input comment=OpenVPN dst-port=1194 protocol=tcp
add chain=input comment="Allow VPN" connection-state=new protocol=ipsec-esp
add chain=input comment="Allow VPN" connection-state=new protocol=ipsec-ah
add chain=input comment="Allow VPN" dst-port=500,1701,4500 protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=135-139 \
protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" dst-port=135-139 \
protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 \
protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 \
protocol=udp
add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=\
tcp
add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=2283 protocol=\
tcp
add action=drop chain=virus comment="Drop Beagle" dst-port=2535 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" dst-port=2745 protocol=\
tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=3127-3128 \
protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" dst-port=3410 \
protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=udp
add action=drop chain=virus comment="Drop Sasser" dst-port=5554 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" dst-port=8866 protocol=\
tcp
add action=drop chain=virus comment="Drop Dabber.A-B" dst-port=9898 protocol=\
tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=10000 protocol=\
tcp
add action=drop chain=virus comment="Drop MyDoom.B" dst-port=10080 protocol=\
tcp
add action=drop chain=virus comment="Drop NetBus" dst-port=12345 protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" dst-port=17300 protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" dst-port=27374 protocol=\
tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" dst-port=\
65506 protocol=tcp
add action=jump chain=forward comment="jump to the virus chain" jump-target=\
virus
add action=log chain=input comment="Log everything else" log-prefix=\
"DROP INPUT"
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " log=\
yes log-prefix="port scannes to address list" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" log=yes \
log-prefix="drop scanners" src-address-list="port scanners"
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
log=yes log-prefix=ssh-stage3 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 log=\
yes log-prefix=ssh-stage2 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 log=\
yes log-prefix=SSH-stage1 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=forward comment=\
"Drop all other traffic through the router"
add action=drop chain=input comment="Drop al other traffic to the router"
/ip firewall mangle
add action=add-dst-to-address-list address-list="kpnaddres list" \
address-list-timeout=1d chain=prerouting comment="Mark kpn address list" \
content=itvonline.nl dst-port=80 protocol=tcp
add action=add-dst-to-address-list address-list="kpnaddres list" \
address-list-timeout=1d chain=prerouting comment="Mark kpn address list" \
content=wxs.nl dst-port=80 protocol=tcp
add action=add-dst-to-address-list address-list="kpnaddres list" \
address-list-timeout=1d chain=prerouting comment="Mark kpn address list" \
dst-port=80 layer7-protocol=itvonline protocol=tcp
add action=add-dst-to-address-list address-list="kpnaddres list" \
address-list-timeout=1d chain=prerouting comment="Mark kpn address list" \
dst-port=80 layer7-protocol=wxs protocol=tcp
add action=mark-routing chain=prerouting comment=Kpn dst-address-list=\
"!kpnaddres list" dst-port=80 new-routing-mark=to_proxy protocol=tcp \
src-address-list=OutLocalLan
add action=mark-routing chain=prerouting comment="Proxy Lan HTTP MARK" \
disabled=yes dst-port=80 new-routing-mark=to_proxy protocol=tcp \
src-address-list=OutLocalLan
add action=mark-routing chain=prerouting comment="Proxy Vpn HTTP MARK" \
disabled=yes dst-port=80 new-routing-mark=to_proxy protocol=tcp \
src-address-list=OutVpnLan
add action=mark-routing chain=prerouting comment="Proxy Guest HTTP MARK" \
disabled=yes dst-port=80 new-routing-mark=to_proxy protocol=tcp \
src-address-list=OutGuestLan
add action=mark-packet chain=prerouting comment=\
"internal-traffic packet mark" dst-address-list=internal-nets \
new-packet-mark=internal-traffic passthrough=no src-address-list=\
internal-nets
add action=mark-packet chain=prerouting comment="admin-in packet mark DNS" \
in-interface=pppoe new-packet-mark=admin-in passthrough=no protocol=udp \
src-port=53
add action=mark-packet chain=prerouting comment="admin-in packet mark snmp" \
dst-port=161 in-interface=pppoe new-packet-mark=admin-in passthrough=no \
protocol=udp
add action=mark-connection chain=prerouting comment=\
"Remote Protocols admin connection mark" new-connection-mark=admin port=\
20,21,22,23,3389,8291 protocol=tcp
add action=mark-connection chain=prerouting comment=\
"icmp connection mark as admin" new-connection-mark=admin protocol=icmp \
src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="admin-in packet mark" \
connection-mark=admin in-interface=pppoe new-packet-mark=admin-in \
passthrough=no
add action=mark-packet chain=prerouting comment="admin-out packet mark" \
connection-mark=admin new-packet-mark=admin-out passthrough=no
add action=mark-connection chain=prerouting comment=\
"streaming video connection mark" dst-port=80 layer7-protocol=video \
new-connection-mark=streaming-video protocol=tcp src-address-list=\
internal-nets
add action=mark-packet chain=prerouting comment=\
"streaming video in packet mark" connection-mark=streaming-video \
in-interface=pppoe new-packet-mark=streaming-video-in passthrough=no
add action=mark-packet chain=prerouting comment=\
"streaming video out packet mark" connection-mark=streaming-video \
new-packet-mark=streaming-video-out passthrough=no
add action=mark-connection chain=prerouting comment=\
"http traffic connection mark" dst-port=80,443 new-connection-mark=http \
protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="http in packet mark" \
connection-mark=http in-interface=pppoe new-packet-mark=http-in \
passthrough=no
add action=mark-packet chain=prerouting comment="http out packet mark" \
connection-mark=http new-packet-mark=http-out passthrough=no
add action=mark-connection chain=prerouting comment=\
"wow connetion mark as gaming" dst-port=\
1119,3724,6112-6114,4000,6881-6999 new-connection-mark=games protocol=tcp \
src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
"eve online connetion mark as gaming" dst-address=87.237.38.200 \
new-connection-mark=games src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
"starcraft 2 connetion mark as gaming" dst-port=1119 new-connection-mark=\
games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
"heros of newerth connetion mark as gaming" dst-port=11031,11235-11335 \
new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
"steam connetion mark as gaming" dst-port=27014-27050 \
new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
"ps3 online connetion mark as gaming" dst-port=5223 new-connection-mark=\
games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
"xbox live connetion mark as gaming" dst-port=3074 new-connection-mark=\
games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
"wii online connetion mark as gaming" dst-port=28910,29900,29901,29920 \
new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment=\
"games packet mark forever-saken-game" dst-address-list=external-nets \
new-packet-mark=games-in passthrough=no src-address-list=\
forever-saken-game
add action=mark-packet chain=prerouting comment="games packet mark wow" \
dst-address-list=external-nets new-packet-mark=games-in passthrough=no \
protocol=udp src-port=53,3724
add action=mark-packet chain=prerouting comment=\
"games packet mark starcraft2" dst-address-list=external-nets \
new-packet-mark=games-in passthrough=no protocol=udp src-port=1119,6113
add action=mark-packet chain=prerouting comment="games packet mark HoN" \
dst-address-list=external-nets new-packet-mark=games-in passthrough=no \
protocol=udp src-port=11031,11235-11335
add action=mark-packet chain=prerouting comment="games packet mark steam in" \
dst-address-list=external-nets new-packet-mark=games-in passthrough=no \
port=4380,28960,27000-27030 protocol=udp
add action=mark-packet chain=prerouting comment="games packet mark steam out" \
dst-port=53,1500,3005,3101,3478,4379-4380,4380,28960,27000-27030,28960 \
new-packet-mark=games-out passthrough=no protocol=udp src-address-list=\
internal-nets
add action=mark-packet chain=prerouting comment="games packet mark xbox live" \
dst-address-list=external-nets new-packet-mark=games-in passthrough=no \
protocol=udp src-port=88,3074,3544,4500
add action=mark-packet chain=prerouting comment=\
"games packet mark ps3 online" dst-address-list=external-nets \
new-packet-mark=games-in passthrough=no protocol=udp src-port=\
3478,3479,3658
add action=mark-packet chain=prerouting comment="games packet mark in" \
connection-mark=games dst-address-list=external-nets new-packet-mark=\
games-in passthrough=no
add action=mark-packet chain=prerouting comment="games packet mark out" \
connection-mark=games new-packet-mark=games-out passthrough=no
add action=mark-packet chain=prerouting comment=\
"voip-in packet mark teamspeak" dst-address-list=external-nets \
new-packet-mark=voip-in passthrough=no protocol=udp src-port=9987
add action=mark-packet chain=prerouting comment=\
"voip-out packet mark teamspeak" dst-port=9987 new-packet-mark=voip-out \
passthrough=no protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment=\
"voip-out packet mark teamspeak" dst-address-list=external-nets \
new-packet-mark=voip-in passthrough=no protocol=udp src-port=9987
add action=mark-packet chain=prerouting comment=\
"voip-in packet mark ventrilo" dst-address-list=external-nets \
new-packet-mark=voip-in passthrough=no protocol=udp src-port=3784
add action=mark-packet chain=prerouting comment=\
"voip-out packet mark ventrilo" dst-port=3784 new-packet-mark=voip-out \
passthrough=no protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment=\
"voip-in packet mark ventrilo" dst-address-list=external-nets \
new-packet-mark=voip-in passthrough=no protocol=tcp src-port=3784
add action=mark-packet chain=prerouting comment=\
"voip-out packet mark ventrilo" dst-port=3784 new-packet-mark=voip-out \
passthrough=no protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark RTP" \
dst-address-list=internal-nets new-packet-mark=voip-in packet-size=\
100-400 passthrough=no port=16348-32768 protocol=udp
add action=mark-packet chain=prerouting comment="voip-in packet mark SIP" \
dst-address-list=internal-nets new-packet-mark=voip-in passthrough=no \
port=5060 protocol=tcp
add action=mark-packet chain=prerouting comment="voip-out packet mark SIP" \
new-packet-mark=voip-out passthrough=no port=5060 protocol=tcp \
src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark udp SIP" \
dst-address-list=internal-nets new-packet-mark=voip-in passthrough=no \
port=5004,5060 protocol=udp
add action=mark-packet chain=prerouting comment=\
"voip-out packet mark udp SIP" new-packet-mark=voip-out passthrough=no \
port=5004,5060 protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-out packet mark RTP" \
new-packet-mark=voip-in packet-size=100-400 passthrough=no port=\
16348-32768 protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="vpn-in packet mark GRE" \
in-interface=pppoe new-packet-mark=vpn-in passthrough=no protocol=gre
add action=mark-packet chain=prerouting comment="vpn-out packet mark GRE" \
new-packet-mark=vpn-out passthrough=no protocol=gre
add action=mark-packet chain=prerouting comment="vpn-in packet mark ESP" \
in-interface=pppoe new-packet-mark=vpn-in passthrough=no protocol=\
ipsec-esp
add action=mark-packet chain=prerouting comment="vpn-out packet mark ESP" \
new-packet-mark=vpn-out passthrough=no protocol=ipsec-esp
add action=mark-packet chain=prerouting comment=\
"vpn-out packet mark VPN UDP ports" new-packet-mark=vpn-out passthrough=\
no protocol=udp src-port=500,1701,4500
add action=mark-packet chain=prerouting comment=\
"vpn-in packet mark VPN UDP ports" in-interface=pppoe new-packet-mark=\
vpn-in passthrough=no protocol=udp src-port=500,1701,4500
add action=mark-packet chain=prerouting comment="vpn-in packet mark PPTP" \
in-interface=pppoe new-packet-mark=vpn-in passthrough=no protocol=tcp \
src-port=1723
add action=mark-packet chain=prerouting comment="vpn-out packet mark PPTP" \
new-packet-mark=vpn-out passthrough=no protocol=tcp src-port=1723
add action=mark-packet chain=prerouting comment="all in" in-interface=pppoe \
new-packet-mark=in passthrough=no
add action=mark-packet chain=prerouting comment="all out" new-packet-mark=out \
passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade Server" out-interface=\
pppoe src-address-list=Server
add action=masquerade chain=srcnat comment="Masquerade ProxyLan" \
out-interface=pppoe src-address-list=ProxyLan
add action=masquerade chain=srcnat comment="Masquerade LocalLan" \
out-interface=pppoe src-address-list=LocalLan
add action=masquerade chain=srcnat comment="Masquerade GuestLan" \
out-interface=pppoe src-address-list=GuestLan
add action=masquerade chain=srcnat comment="Masquerade PhoneLan" \
dst-address-list=PhoneLan log=yes log-prefix=phone out-interface=ether8
add action=masquerade chain=srcnat comment="Masquerade VpnClient" \
out-interface=pppoe src-address-list=VpnClientLan
add action=masquerade chain=srcnat comment="Masquerade VpnAdmin" \
out-interface=pppoe src-address-list=VpnAdmin
add action=masquerade chain=srcnat comment="Masquerade OpenVpn" \
out-interface=pppoe src-address-list=OpenVpnLan1
add action=masquerade chain=srcnat comment=Masqueradetvlan out-interface=\
pppoe src-address-list=tvlan
add action=dst-nat chain=dstnat comment=openvpn dst-port=1194 protocol=tcp \
to-ports=1194
add action=dst-nat chain=dstnat comment=VPN dst-port=500 protocol=udp \
to-ports=500
add action=dst-nat chain=dstnat comment=VPN dst-port=1701 protocol=udp \
to-ports=1701
add action=dst-nat chain=dstnat comment=VPN dst-port=4500 protocol=udp \
to-ports=4500
add action=dst-nat chain=dstnat comment=mailserver dst-port=80 in-interface=\
pppoe protocol=tcp to-addresses=192.168.10.3 to-ports=80
add action=dst-nat chain=dstnat comment=mailserver dst-port=465 in-interface=\
pppoe protocol=tcp to-addresses=192.168.10.3 to-ports=80
add action=dst-nat chain=dstnat comment=mailserver dst-port=587 in-interface=\
pppoe protocol=tcp to-addresses=192.168.10.3 to-ports=80
add action=dst-nat chain=dstnat comment=mailserver dst-port=25 in-interface=\
pppoe protocol=tcp to-addresses=192.168.10.3 to-ports=80
add action=dst-nat chain=dstnat comment=mailserver dst-port=443 in-interface=\
pppoe protocol=tcp to-addresses=192.168.10.3 to-ports=443
add action=dst-nat chain=dstnat comment=nameserver dst-address=62.131.60.211 \
dst-port=53 in-interface=pppoe protocol=tcp to-addresses=192.168.10.4 \
to-ports=53
add action=dst-nat chain=dstnat comment=nameserver dst-address=62.131.60.211 \
dst-port=53 in-interface=pppoe protocol=udp to-addresses=192.168.10.4 \
to-ports=53
add action=dst-nat chain=dstnat comment=playstation4 dst-port=465 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=tcp to-addresses=\
192.168.1.15 to-ports=465
add action=dst-nat chain=dstnat comment=playstation4 dst-port=983 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=tcp to-addresses=\
192.168.1.15 to-ports=983
add action=dst-nat chain=dstnat comment=playstation4 dst-port=1116-1199 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=tcp to-addresses=\
192.168.1.15 to-ports=1116-1199
add action=dst-nat chain=dstnat comment=playstation4 dst-port=1935 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=tcp to-addresses=\
192.168.1.15 to-ports=1935
add action=dst-nat chain=dstnat comment=playstation4 dst-port=3478-3480 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=tcp to-addresses=\
192.168.1.15 to-ports=3478-3480
add action=dst-nat chain=dstnat comment=playstation4 dst-port=5223 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=tcp to-addresses=\
192.168.1.15 to-ports=5223
add action=dst-nat chain=dstnat comment=playstation4 dst-port=8080 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=tcp to-addresses=\
192.168.1.15 to-ports=8080
add action=dst-nat chain=dstnat comment=playstation4 dst-port=9293 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=tcp to-addresses=\
192.168.1.15 to-ports=9293
add action=dst-nat chain=dstnat comment=playstation4 dst-port=10070-10080 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=tcp to-addresses=\
192.168.1.15 to-ports=10070-10080
add action=dst-nat chain=dstnat comment=playstation4 dst-port=28910 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=tcp to-addresses=\
192.168.1.15 to-ports=28910
add action=dst-nat chain=dstnat comment=playstation4 dst-port=1116-1199 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=udp to-addresses=\
192.168.1.15 to-ports=1116-1199
add action=dst-nat chain=dstnat comment=playstation4 dst-port=3074 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=udp to-addresses=\
192.168.1.15 to-ports=3074
add action=dst-nat chain=dstnat comment=playstation4 dst-port=3478-3479 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=udp to-addresses=\
192.168.1.15 to-ports=3478-3479
add action=dst-nat chain=dstnat comment=playstation4 dst-port=3658 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=udp to-addresses=\
192.168.1.15 to-ports=3658
add action=dst-nat chain=dstnat comment=playstation4 dst-port=5165 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=udp to-addresses=\
192.168.1.15 to-ports=5165
add action=dst-nat chain=dstnat comment=playstation4 dst-port=8080 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=udp to-addresses=\
192.168.1.15 to-ports=8080
add action=dst-nat chain=dstnat comment=playstation4 dst-port=9308 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=udp to-addresses=\
192.168.1.15 to-ports=9308
add action=dst-nat chain=dstnat comment=playstation4 dst-port=2001 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=udp to-addresses=\
192.168.1.15 to-ports=9308
add action=dst-nat chain=dstnat comment=playstation4 dst-port=10070 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=udp to-addresses=\
192.168.1.15 to-ports=10070
add action=dst-nat chain=dstnat comment=playstation4 dst-port=27900-27901 \
in-interface=pppoe log=yes log-prefix=PS4 protocol=udp to-addresses=\
192.168.1.15 to-ports=27900-27901
/ip firewall service-port
set ftp disabled=yes
/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=3des exchange-mode=main-l2tp \
generate-policy=port-override local-address=0.0.0.0 secret=dVz6JF
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip proxy
set cache-path=web-proxy1
/ip route
add check-gateway=ping disabled=yes distance=1 gateway=192.168.10.4 \
routing-mark=to_proxy
add disabled=yes distance=10 gateway=pppoe routing-mark=to_proxy
add check-gateway=ping disabled=yes distance=1 gateway=pppoe routing-mark=kpn
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=81
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set show-dummy-rule=no
-
-
Silvano1980
just joined
- Posts: 14
- Joined:
Re: Bind9 server and mailserver/website
INTERFACE EXPORT
# dec/11/2015 20:41:29 by RouterOS 6.33.3
# software id = D6BX-R4KS
#
/interface bridge
add arp=proxy-arp name=bridge-guest
add arp=proxy-arp mtu=1500 name=bridge-internet
add arp=proxy-arp name=bridge-iptv
add arp=disabled name=bridge-proxy
add arp=proxy-arp name=bridge-server
add arp=proxy-arp name=bridge-tel
add arp=proxy-arp name=bridge-tv
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp comment=WAN speed=1Gbps
set [ find default-name=ether2 ] mac-address=00:02:02:4F:29:3E
set [ find default-name=ether4 ] comment="Netgear Server Vlan"
set [ find default-name=ether5 ] comment="Iptv Lan"
set [ find default-name=ether6 ] comment=Lan
set [ find default-name=ether7 ] comment="Netgear Internet Iptv"
set [ find default-name=ether8 ] comment=PhoneLan
set [ find default-name=ether9 ] comment=PhoneWan speed=1Gbps
/interface vlan
add interface=ether7 l2mtu=1516 name=vlan1.1 vlan-id=1
add comment="Kpn Iptv Wan" interface=ether1 l2mtu=1516 name=vlan1.4 vlan-id=4
add comment="Kpn Intenet Wan" interface=ether1 l2mtu=1516 name=vlan1.6 \
vlan-id=6
add comment="Kpn Phone Wan" interface=ether1 l2mtu=1516 name=vlan1.7 vlan-id=\
7
add comment=Internet interface=ether7 l2mtu=1516 name=vlan1.8 vlan-id=8
add arp=proxy-arp comment=internet interface=ether2 l2mtu=1516 name=vlan2.1 \
vlan-id=21
add arp=proxy-arp comment=server interface=ether2 l2mtu=1516 name=vlan2.2 \
vlan-id=22
add arp=proxy-arp comment=guest interface=ether2 l2mtu=1516 name=vlan2.3 \
vlan-id=23
add arp=proxy-arp comment=proxy interface=ether2 l2mtu=1516 name=vlan2.4 \
vlan-id=24
add arp=proxy-arp interface=ether2 l2mtu=1516 name=vlan2.5 vlan-id=25
add comment=telefoon interface=ether9 l2mtu=1516 name=vlan10.7 vlan-id=7
/interface pppoe-client
add add-default-route=yes allow=pap,mschap2 disabled=no interface=vlan1.6 \
keepalive-timeout=20 max-mru=1480 max-mtu=1480 name=pppoe password=kpn \
user=70-9F-2D-89-00-4B@direct-adsl
/interface ethernet switch port
set 0 vlan-mode=disabled
set 1 vlan-mode=disabled
set 2 vlan-mode=disabled
set 3 vlan-mode=disabled
set 4 vlan-mode=disabled
set 5 vlan-mode=disabled
set 6 vlan-mode=disabled
set 7 vlan-mode=disabled
set 8 vlan-mode=disabled
set 9 vlan-mode=disabled
set 10 vlan-mode=disabled
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=WPA2 \
supplicant-identity="" wpa-pre-shared-key=6221lis8814 \
wpa2-pre-shared-key=6221lis8814
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no frequency=2442 \
ht-supported-mcs="mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mc\
s-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15" hw-retries=15 mode=\
ap-bridge rx-chains=0,1 security-profile=WPA2 ssid=Diesel tx-chains=0,1 \
wireless-protocol=802.11
add disabled=no mac-address=4E:5E:0C:11:1C:A6 master-interface=wlan1 name=\
wlan2 ssid=guest wds-cost-range=0 wds-default-cost=0
add disabled=no mac-address=4E:5E:0C:11:1C:A5 master-interface=wlan1 name=\
wlan3 security-profile=WPA2 ssid=Te_lie_vision
add disabled=no mac-address=4E:5E:0C:11:1C:A7 master-interface=wlan1 name=\
wlan4 ssid=0,1,1,2,3,5,8,13,21,34,55,89,144
/interface bridge port
add bridge=bridge-internet interface=wlan1
add bridge=bridge-internet interface=ether6
add bridge=bridge-iptv interface=vlan1.4
add bridge=bridge-tel interface=vlan1.7
add bridge=bridge-tel interface=vlan10.7
add bridge=bridge-server interface=ether4
add bridge=bridge-internet interface=vlan1.1
add bridge=bridge-iptv interface=ether5
add bridge=bridge-server disabled=yes
add bridge=bridge-internet disabled=yes
add bridge=bridge-guest disabled=yes
add bridge=bridge-guest interface=wlan2
add bridge=bridge-iptv interface=vlan1.8
add bridge=bridge-tv interface=wlan3
add bridge=bridge-guest interface=wlan4
add bridge=bridge-internet interface=vlan2.1
add bridge=bridge-server interface=vlan2.2
add bridge=bridge-guest interface=vlan2.3
add bridge=bridge-internet interface=ether3
add bridge=bridge-proxy interface=vlan2.4
/interface l2tp-server server
set authentication=mschap2 enabled=yes max-mru=1400 max-mtu=1400
/interface ovpn-server server
set auth=sha1 certificate=cert_7 cipher=aes256 default-profile=openvpnprofile \
enabled=yes max-mtu=1450 require-client-certificate=yes
/interface pptp-server server
set enabled=yes max-mru=1460 max-mtu=1460
# dec/11/2015 20:41:29 by RouterOS 6.33.3
# software id = D6BX-R4KS
#
/interface bridge
add arp=proxy-arp name=bridge-guest
add arp=proxy-arp mtu=1500 name=bridge-internet
add arp=proxy-arp name=bridge-iptv
add arp=disabled name=bridge-proxy
add arp=proxy-arp name=bridge-server
add arp=proxy-arp name=bridge-tel
add arp=proxy-arp name=bridge-tv
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp comment=WAN speed=1Gbps
set [ find default-name=ether2 ] mac-address=00:02:02:4F:29:3E
set [ find default-name=ether4 ] comment="Netgear Server Vlan"
set [ find default-name=ether5 ] comment="Iptv Lan"
set [ find default-name=ether6 ] comment=Lan
set [ find default-name=ether7 ] comment="Netgear Internet Iptv"
set [ find default-name=ether8 ] comment=PhoneLan
set [ find default-name=ether9 ] comment=PhoneWan speed=1Gbps
/interface vlan
add interface=ether7 l2mtu=1516 name=vlan1.1 vlan-id=1
add comment="Kpn Iptv Wan" interface=ether1 l2mtu=1516 name=vlan1.4 vlan-id=4
add comment="Kpn Intenet Wan" interface=ether1 l2mtu=1516 name=vlan1.6 \
vlan-id=6
add comment="Kpn Phone Wan" interface=ether1 l2mtu=1516 name=vlan1.7 vlan-id=\
7
add comment=Internet interface=ether7 l2mtu=1516 name=vlan1.8 vlan-id=8
add arp=proxy-arp comment=internet interface=ether2 l2mtu=1516 name=vlan2.1 \
vlan-id=21
add arp=proxy-arp comment=server interface=ether2 l2mtu=1516 name=vlan2.2 \
vlan-id=22
add arp=proxy-arp comment=guest interface=ether2 l2mtu=1516 name=vlan2.3 \
vlan-id=23
add arp=proxy-arp comment=proxy interface=ether2 l2mtu=1516 name=vlan2.4 \
vlan-id=24
add arp=proxy-arp interface=ether2 l2mtu=1516 name=vlan2.5 vlan-id=25
add comment=telefoon interface=ether9 l2mtu=1516 name=vlan10.7 vlan-id=7
/interface pppoe-client
add add-default-route=yes allow=pap,mschap2 disabled=no interface=vlan1.6 \
keepalive-timeout=20 max-mru=1480 max-mtu=1480 name=pppoe password=kpn \
user=70-9F-2D-89-00-4B@direct-adsl
/interface ethernet switch port
set 0 vlan-mode=disabled
set 1 vlan-mode=disabled
set 2 vlan-mode=disabled
set 3 vlan-mode=disabled
set 4 vlan-mode=disabled
set 5 vlan-mode=disabled
set 6 vlan-mode=disabled
set 7 vlan-mode=disabled
set 8 vlan-mode=disabled
set 9 vlan-mode=disabled
set 10 vlan-mode=disabled
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=WPA2 \
supplicant-identity="" wpa-pre-shared-key=6221lis8814 \
wpa2-pre-shared-key=6221lis8814
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no frequency=2442 \
ht-supported-mcs="mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mc\
s-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15" hw-retries=15 mode=\
ap-bridge rx-chains=0,1 security-profile=WPA2 ssid=Diesel tx-chains=0,1 \
wireless-protocol=802.11
add disabled=no mac-address=4E:5E:0C:11:1C:A6 master-interface=wlan1 name=\
wlan2 ssid=guest wds-cost-range=0 wds-default-cost=0
add disabled=no mac-address=4E:5E:0C:11:1C:A5 master-interface=wlan1 name=\
wlan3 security-profile=WPA2 ssid=Te_lie_vision
add disabled=no mac-address=4E:5E:0C:11:1C:A7 master-interface=wlan1 name=\
wlan4 ssid=0,1,1,2,3,5,8,13,21,34,55,89,144
/interface bridge port
add bridge=bridge-internet interface=wlan1
add bridge=bridge-internet interface=ether6
add bridge=bridge-iptv interface=vlan1.4
add bridge=bridge-tel interface=vlan1.7
add bridge=bridge-tel interface=vlan10.7
add bridge=bridge-server interface=ether4
add bridge=bridge-internet interface=vlan1.1
add bridge=bridge-iptv interface=ether5
add bridge=bridge-server disabled=yes
add bridge=bridge-internet disabled=yes
add bridge=bridge-guest disabled=yes
add bridge=bridge-guest interface=wlan2
add bridge=bridge-iptv interface=vlan1.8
add bridge=bridge-tv interface=wlan3
add bridge=bridge-guest interface=wlan4
add bridge=bridge-internet interface=vlan2.1
add bridge=bridge-server interface=vlan2.2
add bridge=bridge-guest interface=vlan2.3
add bridge=bridge-internet interface=ether3
add bridge=bridge-proxy interface=vlan2.4
/interface l2tp-server server
set authentication=mschap2 enabled=yes max-mru=1400 max-mtu=1400
/interface ovpn-server server
set auth=sha1 certificate=cert_7 cipher=aes256 default-profile=openvpnprofile \
enabled=yes max-mtu=1450 require-client-certificate=yes
/interface pptp-server server
set enabled=yes max-mru=1460 max-mtu=1460
-
-
Silvano1980
just joined
- Posts: 14
- Joined:
Re: Bind9 server and mailserver/website
IP ROUTE PRINT
0 ADS 0.0.0.0/0 195.190.228.54 0
1 ADC 192.168.1.0/24 192.168.1.1 bridge-internet 0
2 ADC 192.168.2.0/24 192.168.2.250 ether8 0
3 ADC 192.168.3.0/27 192.168.3.1 bridge-guest 0
4 ADC 192.168.4.0/27 192.168.4.1 bridge-tv 0
5 ADC 192.168.5.0/30 192.168.5.1 bridge-proxy 0
6 ADC 192.168.10.0/27 192.168.10.1 bridge-server 0
7 ADC 195.190.228.54/32 62.131.60.211 pppoe 0
0 ADS 0.0.0.0/0 195.190.228.54 0
1 ADC 192.168.1.0/24 192.168.1.1 bridge-internet 0
2 ADC 192.168.2.0/24 192.168.2.250 ether8 0
3 ADC 192.168.3.0/27 192.168.3.1 bridge-guest 0
4 ADC 192.168.4.0/27 192.168.4.1 bridge-tv 0
5 ADC 192.168.5.0/30 192.168.5.1 bridge-proxy 0
6 ADC 192.168.10.0/27 192.168.10.1 bridge-server 0
7 ADC 195.190.228.54/32 62.131.60.211 pppoe 0
-
-
Silvano1980
just joined
- Posts: 14
- Joined:
Re: Bind9 server and mailserver/website
i also read this article about bind9 and if this is true then mayby this is the problem that i have config my domain names to my internal ip instaed of the external but 1 thing i can not understand that if i want to host multible website on port 443 wil that work thene with 1 wan ip address ?
The article is on this site http://www.aitechsolutions.net/dnsservertips.html
And this is what its says...
f you have a DNS Server behind a firewall and NAT (or PAT) is enabled, where your "Public" IP Address is different
than your "Private" IP Address, you need to configure the NAT'ted IP address in your zone files and not the inside
or Private IP Address for your internet serving DNS.
This is because the "Query Response" sent back to the requester is contained in the data portion of the packet
and as such will not be changed by the router or router\firewall.
In a nutshell, the requesting systems in the public domain needs to know the public IP address to use as the
destination from their point of view..
The article is on this site http://www.aitechsolutions.net/dnsservertips.html
And this is what its says...
f you have a DNS Server behind a firewall and NAT (or PAT) is enabled, where your "Public" IP Address is different
than your "Private" IP Address, you need to configure the NAT'ted IP address in your zone files and not the inside
or Private IP Address for your internet serving DNS.
This is because the "Query Response" sent back to the requester is contained in the data portion of the packet
and as such will not be changed by the router or router\firewall.
In a nutshell, the requesting systems in the public domain needs to know the public IP address to use as the
destination from their point of view..
Re: Bind9 server and mailserver/website
You use views to accomplish this.In a nutshell, the requesting systems in the public domain needs to know the public IP address to use as the
destination from their point of view..
The first thing I see is that the servers are on a different network than the users. This means that you don't need hairpin rules at all.
As for the DNS service not being available from the Internet- I don't see any rules in the dstnat chain for DNS. You've permitted the traffic in the forwarding chain, but haven't actually mapped the ports with NAT.
Add the following to the NAT table:
/ip firewall nat
add chain=dstnat dst-address-type=local dst-address=!192.168.0.0/16 action=jump jump-target=pinholes
add chain=pinholes protocol=udp dst-port=53 action=dst-nat to-addresses=192.168.10.4
add chain=pinholes protocol=tcp dst-port=53 action=dst-nat to-addresses=192.168.10.4
add chain=pinholes action=return
In the future, if you want to map more ports, add them to the pinholes chain
e.g.
add chain=pinholes protocol=tcp dst-ports=80,443 action=dst-nat to-addresses=ip.of.web.srv
and make sure the RETURN rule is last in the chain.
There's no need to check the interfaces, etc anymore because by the time a packet is in this chain, it's known to be a candidate for pinholes.... as opposed to DHCP requests hitting the router from the LAN side....
Make sure the dstnat jump rule comes before the existing rules.
- by the way, change the action on the existing rules to just be "accept" - that will be faster and do the same thing.
IMOHO - firewall configurations like this are about ten times too complicated. They add lots of overhead, both to the system's ability to process traffic, and cause administrative burden in both troubleshooting and configuration management, and at the end of the day, this doesn't increase security enough to merit the added complexity....
As for internal policies in the firewall, those are normal, but I would recommend that you split the forwarding chain up into separate chains - e.g. GUEST policy could be a chain. Make one rule in forward that checks in-interface=guest_vlan and jumps into the GUEST policy chain. For every non-guest packet, you've eliminated 9 or more rules to check. (I counted about 9 rules that reference the guest address-list...)
When I need more than a basic "block all incoming, allow all outgoing" firewall (which is all my home firewall does), I follow this basic format:
block blacklisted sources/destinations using address-list
allow established,related (these can be one rule now)
allow whitelisted hosts
allow out-interface=wan
{
allow specific ports & services (if more than one or two checks are required for a given interface policy, make it a jump to a separate chain)
}
default drop
-
-
Silvano1980
just joined
- Posts: 14
- Joined:
Re: Bind9 server and mailserver/website
Hallo thnx for the reply,
And iam gonna look into it to try and make it simple,but i thought that i already nat the dns with this rule??
add action=dst-nat chain=dstnat comment=nameserver dst-address=62.131.60.211 \
dst-port=53 in-interface=pppoe protocol=tcp to-addresses=192.168.10.4 \
to-ports=53
add action=dst-nat chain=dstnat comment=nameserver dst-address=62.131.60.211 \
dst-port=53 in-interface=pppoe protocol=udp to-addresses=192.168.10.4 \
to-ports=53
And iam gonna look into it to try and make it simple,but i thought that i already nat the dns with this rule??
add action=dst-nat chain=dstnat comment=nameserver dst-address=62.131.60.211 \
dst-port=53 in-interface=pppoe protocol=tcp to-addresses=192.168.10.4 \
to-ports=53
add action=dst-nat chain=dstnat comment=nameserver dst-address=62.131.60.211 \
dst-port=53 in-interface=pppoe protocol=udp to-addresses=192.168.10.4 \
to-ports=53
-
-
Silvano1980
just joined
- Posts: 14
- Joined:
Re: Bind9 server and mailserver/website
Yesss it is working with the rules youve give and cleaned my firwarding rules.
1 more thing what wil happen if the dns server is down? Can i forward it to a another dns thene
1 more thing what wil happen if the dns server is down? Can i forward it to a another dns thene
Re: Bind9 server and mailserver/website
No - the NAT table just looks at packets as they pass through the router. If the packets match a rule, then it replaces the source or destination IP and/or port number and forwards it along.Yesss it is working with the rules youve give and cleaned my firwarding rules.
1 more thing what wil happen if the dns server is down? Can i forward it to a another dns thene
You would need some other tool to monitor the service and modify the NAT rule if a failure is detected.