/ip settings
set rp-filter=strict
This is, as what rextended is saying, should be done at the ISP level
not the homeowner level, necessarily and how does rp-filter=strict deal with dual wans...........??
Wishful thinking that all our ISP providers are as considerate as rextended.
The two following rules offered up, take care of the outgoing traffic from the homeowner (seems reasonably easy and not cpu intensive) and should help rextended reduce his overall burden.
/ip route
add blackhole disabled=no dst-address=10.0.0.0/8
add blackhole disabled=no dst-address=172.16.0.0/12
add blackhole disabled=no dst-address=192.168.0.0/16
(NOTE1: add more bogon addresses as you see fit.)
(NOTE2: If you need to reach your ISP/MODEM, and it conflicts with bogon addresses, ensure there is a path for that traffic depending upon individual requirements and potentially could be solved by approaches such as IP route or IP address.)
And the second rule from SOB, for which I have to ask ---> What if any is the difference functionally speaking? and then practically speaking???
Both seem to block all outgoing stuff not from an IP on the router (assuming one makes allowances when necessary such as for incoming wireguard addresses)??
/ip firewall raw
add chain=prerouting in-interface=LAN src-address=!10.0.0.0/24 action=drop
NOTE: Where I suppose if you had multiple vlans then one would simply use a
source-address-list=!VLAN-subnets
+++++++++++++++++++++++++++++++++++
As for the incoming, if my ISP does not block such nefarious inbound traffic, AND If for some strange reason there is a subnet address that matches one on my LAN subnet, that is coming in on the WAN side, from the internet hitting the router interface, what then??. In other words, I don't rally care about private IP traffic that has nowhere to go on my router anyway, but something sneaky that may mess with my routers brain
!
A. there is no input rule allowing that unless its aiming for a port thats open such as wireguard.
B. there is no forward chain rule allowing that unless its aimed for port forwarding....
Thus in situations A or B, how is that traffic next handled........... if not safely or securely then............
Do we need another firewall raw rule, except one that is 180 degrees different, that specifically blocks my LAN SUBNET addresses inbound???
/ip firewall raw
add chain=prerouting in-interface=WAN LAN src-address=10.0.0.0/24 action=drop