Double check my config to make sure no holes in firewall rules

meazz1 · Sat Jul 11, 2020 3:34 am

I have created this config and hope this will pass the leak test.
I would appreciate if someone can take a look.

My setup is in mikrotik
LAN -192.168.4.0/24
VLAN ID20 - 10.0.20.0/24
Port forwarding for VPN to IP192.168.4.8
Managed switch for tagged and untagged traffic.
Only thing I added a rule for VLAN 20 to not access lan resources.

/interface bridge
add admin-mac=00:D1:54:82:12:90 auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=bridge name=VLAN20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.4.10-192.168.4.200
add name=dhcp_pool ranges=10.0.20.10-10.0.20.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool disabled=no interface=VLAN20 name=dhcp2
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=VLAN20 list=LAN
/ip address
add address=192.168.4.1/24 comment=defconf interface=ether2 network=\
    192.168.4.0
add address=10.0.20.1/24 interface=VLAN20 network=10.0.20.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.20.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.0.20.1 \
    netmask=24
add address=192.168.4.0/24 comment=defconf dns-server=192.168.4.2 gateway=\
    192.168.4.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.4.2
/ip dns static
add address=192.168.4.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward connection-state=invalid,new dst-address=\
    192.168.4.0/24 src-address=10.0.20.0/24
add action=accept chain=forward connection-state=established,related \
    dst-address=192.168.4.0/24 src-address=!10.0.20.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=51820 in-interface=ether1 protocol=\
    udp to-addresses=192.168.4.8 to-ports=51820
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/New_York
/system identity
set name=Router
/system ntp client
set enabled=yes primary-ntp=38.229.71.1 secondary-ntp=199.229.133.100
/system ntp server
set broadcast=yes enabled=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none

anav · Sat Jul 11, 2020 3:53 am

Obviously didnt change this default setting when config the router, should be bridge now.
/ip address
add address=192.168.4.1/24 comment=defconf interface=ether2 network=\
192.168.4.0

Can be simplified.....
add action=drop chain=forward connection-state=invalid,new dst-address=\
192.168.4.0/24 src-address=10.0.20.0/24

To
add action=drop chain=forward dst-address=\
192.168.4.0/24 src-address=10.0.20.0/24

Not quite sure the purpose of this rule?? In the above rule you already drop any attempt by the source subnet to access the destination subnet!!
What is it you think you are accomplishing with this rule?
add action=accept chain=forward connection-state=established,related \
dst-address=192.168.4.0/24 src-address=!10.0.20.0/24

meazz1 · Sat Jul 11, 2020 4:25 am

Thanks @anav
You always help right away. Really appreciate your willingness.
Here's the chnages you suggested.
I will try it out when the family is asleep and let you knoe.

# jan/01/2002 00:22:03 by RouterOS 6.47
# software id = S1MG-NEED
#
# model = RouterBOARD 750G r3
# serial number = 6F39079A5CA0
/interface bridge
add admin-mac=64:D1:54:82:B5:90 auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=bridge name=VLAN20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.4.10-192.168.4.200
add name=dhcp_pool ranges=10.0.20.10-10.0.20.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool disabled=no interface=VLAN20 name=dhcp2
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=VLAN20 list=LAN
/ip address
add address=192.168.4.1/24 comment=defconf interface=bridge network=\
    192.168.4.0
add address=10.0.20.1/24 interface=VLAN20 network=10.0.20.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.20.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.0.20.1 \
    netmask=24
add address=192.168.4.0/24 comment=defconf dns-server=192.168.4.2 gateway=\
    192.168.4.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.4.2
/ip dns static
add address=192.168.4.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward connection-state="" dst-address=192.168.4.0/24 \
    src-address=10.0.20.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=51820 in-interface=ether1 protocol=\
    udp to-addresses=192.168.4.8 to-ports=51820
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/New_York
/system identity
set name=Router
/system ntp client
set enabled=yes primary-ntp=38.229.71.1 secondary-ntp=199.229.133.100
/system ntp server
set broadcast=yes enabled=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none

anav · Sat Jul 11, 2020 2:58 pm

Something bugged me about your config but it was late last night and I was tired.

THe issue that I see is that
a. you associated the vlan to the bridge
b. you have the bridge giving out DHCP
c. you have the vlan getting DCHP separately

So thats a conflict.
If you had tied the vlan to a specific interface like ether2 or 3 or 4 etc, then it would work.
If you need the vlan to run over several ports then, keeping it on the bridge makes sense.

However if its on the bridge then you would need some bridge port settings to show the vlan possibly and definitely some bridge vlan settings.

When you say managed switch for tagged and untagged traffic do you mean there is an additonal switch in the mix??
What i did in my house is use only vlans, so lets say vlan10 is my homelan , then the bridge is not saddled with dhcp or anything else. Makes it cleaner in my mind.

For example..........
/ip dhcp-server
add address-pool=dhcp disabled=no interface=VLAN10 name=homepool
add address-pool=dhcp_pool disabled=no interface=VLAN20 name=dhcp2

/ip address
add address=192.168.4.1/24 comment=defconf interface=vlan10 network=\
192.168.4.0
add address=10.0.20.1/24 interface=VLAN20 network=10.0.20.0

++++++++++++++++++++++++++++++++++++++++++
This is a MUST read article for vlans on home routers.
viewtopic.php?f=13&t=143620

However, it is possible not to use vlans and just use subnets and it depends on the complexity of your setup.
If you have multiple ports requireing vlans, then the vlan route is probably better. If you have a VLAN on only one port then either way works.

For example (subnet solution)
subnet A on bridge for etherports 2,3,4
subnet B NOT on bridge using etherport 5

In my house
I have 10 subnets that have to go through 2 ports........
Vlans is the obvious setup.

meazz1 · Sun Jul 12, 2020 2:33 am

@anav
I took your advice and made few changes.
I'm hoping this will be it.

Lan 192.168.88.0/24 bridge ether2, ether3, ether4, I will only use this to access WinBox, no devices are using this.
VLAN1 192.168.4.0/24 bridge1 ether5, my main home subnet
VLAN20 10.0.20.0/24 bridge1 ether5, IOT devices.
Netgear switch connected to ether5, configure to tag VLAN1 & VLAN20.
I tested everything and all my devices are geting IP addresses from respective VLANs using the switch.

add admin-mac=00:D1:12:82:B5:90 auto-mac=no comment=defconf name=bridge
add name=bridge1
/interface vlan
add interface=ether5 name=VLAN1 vlan-id=1
add interface=ether5 name=VLAN20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp-lan-home ranges=192.168.4.10-192.168.4.200
add name=dhcp-vlan20 ranges=10.0.20.10-10.0.20.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp-vlan20 disabled=no interface=VLAN20 name=dhcp1
add address-pool=dhcp-lan-home disabled=no interface=VLAN1 name=dhcp2
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge1 comment=defconf interface=ether5
add bridge=bridge interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=VLAN1 list=LAN
add interface=VLAN20 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
add address=192.168.4.0/24 interface=VLAN1 network=192.168.4.0
add address=10.0.20.0/24 interface=VLAN20 network=10.0.20.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.20.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.0.20.1 \
    netmask=24
add address=192.168.4.0/24 dns-server=192.168.4.2 gateway=192.168.4.1 \
    netmask=24
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set servers=192.168.4.2
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward dst-address=192.168.4.0/24 src-address=\
    10.0.20.0/24
add action=drop chain=forward dst-address=192.168.88.0/24 src-address=\
    10.0.20.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/New_York
/system identity
set name=Router
/system ntp client
set enabled=yes primary-ntp=38.229.71.1 secondary-ntp=199.229.133.100
/system ntp server
set broadcast=yes enabled=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none

anav · Sun Jul 12, 2020 2:59 am

Its a weird setup, dont see anything particularly wrong, but if its working for you now, then leave well enough alone LOL.
Glad its up and running.

Ether5 is a vlan trunk.
but it looks like your not using bridge vlan filtering so no need to establish bridge vlan settings??
Normally there would be something like
add bridge=bridge1 tagged=bridge1,ether5 vlan-ids=1,20 (but not really put the 1 as that is the implied default vlan)

meazz1 · Sun Jul 12, 2020 6:22 am

as long as my firewall is setup right I will be ok with it for now.
I used Opnsense on a device with only 2 gig ports so setup was pretty straight forward.
Now, I want to give Mikrotik a try hence all this dilemma.

Double check my config to make sure no holes in firewall rules

Double check my config to make sure no holes in firewall rules

Re: Double check my config to make sure no holes in firewall rules

Re: Double check my config to make sure no holes in firewall rules

Re: Double check my config to make sure no holes in firewall rules

Re: Double check my config to make sure no holes in firewall rules

Re: Double check my config to make sure no holes in firewall rules

Re: Double check my config to make sure no holes in firewall rules