The first two points are really about not understanding why you are hiding private IPs that have no bearing on security?
For all we know 172 etc, is not even the private IP you use, not that it matter an iota.
(1) First issue I see is that your private IP lan address has the letter z in it instead of a number?
/ip address
add address=172.16.0.
z/24 interface="sfp-sfpplus1 - LAN" network=172.16.0.0
(2) Second issue is really more of the same for dhcp server on a private lan subnet............
/ip dhcp-server network
add address=172.16.0.0/24 dns-server=172.16.0.
z domain=home.local.lan \
gateway=172.16.0
.z netmask=24 ntp-server=172.16.0.yyy
(3) Dont like your nomenclature usage for firewall list called WANs, a tad confusing to say the least.
(4) Dont like your nomenclature usage for firewall list call LANs, a tad confusing.
(5) Dont support silly usage of firewall address list instead of the simpler choices. There is no need!
a. src-address=172.16.0.0/24 OR
b. interface="sfp-sfpplus1 - LAN" OR
c. in-interface-list=LAN
Firewall address lists are best to capture a group of IPs less than a full subnet, or bunch of IPs from different subnets or either of those in conjunction with subnets ( a mix of both ).
If one had a group of subnets, then use interface lists...............
(6) Should state the firewall rules are crap..........
For example instead of all the frivolous icmp rules simply have one rule.
add chain=input action=accept protocol=icmp
At the end of the input chain you should put a block all else rule.........
Use the basic firewall here and add any specific accept traffic required.........
viewtopic.php?t=180838
It seems you do have a drop all rule at the end of the forward chain making all your drop rules prior to that redundant, and messy.
(7) You are mangling for hairpin nat so very curious as to which WANIP is involved in this setup (telling users to go to which WAN for the server vice the LANIP directly).
(8) Mangling and fasstrack do not mix well.
(9) What in tarnation does this rule accomplish............
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
"Hairpin NAT"
(10) The dst-nat and ip routes also look screwy.
In conclusion you have cobbled together a messy config that seems bloated and pulled together from various youtube adventures with very little understanding of what has been configged.
The config is overly complex due to the unecessary garbage added without confirming the basic connectivity you need works first.
Simple firewall, simple routes, basic source-nat and basic destination nat, (see if everything works then start adding).
- which wanip is used by external users to reach your server
- which wanip is used by internal users to reach your server (otherwise hairpin nat is not required).
Assuming you have fixed private WANIP on WAN1, just use a fake one to display it on the config here...... so its clear which one it is throughout the config.
