dstnat rules not works

Kataius · Thu Nov 09, 2023 5:23 am

Good evening,
trying to redirect all network traffic to the pihole (even if a client specifies different dns). I noticed that the routerboard doesn't apply any dstnat rules. Where am I doing wrong?

/ip firewall nat
add action=masquerade chain=srcnat out-interface=dimensione-pppoe src-address=\
    192.168.0.0/20
add action=masquerade chain=srcnat out-interface=dimensione-pppoe src-address=\
    192.168.240.0/20
add action=masquerade chain=srcnat out-interface=dimensione-pppoe src-address=\
    10.255.255.0/24
add action=masquerade chain=srcnat out-interface=dimensione-pppoe src-address=\
    172.16.0.0/20
add action=masquerade chain=srcnat comment="PiHole NEW" src-address=\
    192.168.55.0/29
add action=dst-nat chain=dst-nat comment="PiHole Access" dst-address=\
    192.168.0.8 dst-port=80 protocol=tcp to-addresses=192.168.55.5 to-ports=\
    80
add action=dst-nat chain=dstnat comment="PiHole NEW" dst-port=53 \
    in-interface-list=LAN protocol=udp src-address-list=!excluded to-addresses=\
    192.168.55.5
add action=dst-nat chain=dstnat comment="PiHole NEW" dst-port=53 \
    in-interface-list=LAN protocol=tcp src-address-list=!excluded to-addresses=\
    192.168.55.5

For example here: if I type 192.168.0.8 in a browser URL it doesn't redirect me to 192.168.55.5 but gives me: ERR_CONNECTION_TIMED_OUT
And not even the various clients are redirected with the DNS on the pihole

Firewall full config:

/ip firewall address-list
add address=192.168.0.0/20 comment="Casa NET" list=net_casa
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" list=\
    bogons
add address=xx.xx.xx.xx list=WAN
add address=10.255.255.0/24 comment="Mamma NET" list=net_mamma
add address=172.16.0.0/20 comment="Guest NET" list=net_guest
add address=10.255.255.0/24 comment="Excluded from PiHole" list=excluded
add address=172.16.0.0/20 comment="Excluded from PiHole" list=excluded
add address=192.168.55.5 comment="Excluded from PiHole" list=excluded
add address=10.10.0.0/24 comment="Excluded from PiHole" list=excluded
add address=192.168.240.0/20 comment="Domus NET" list=net_domus
add address=10.10.0.0/24 comment="Base NET" list=net_base
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="PiHole NEW" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="PiHole NEW" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=accept chain=forward comment="PiHole NEW" dst-address=192.168.55.5 \
    in-interface-list=LAN
add action=accept chain=forward comment="Fast-Forward\r\
    \n" connection-state=established,related disabled=yes
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" \
    connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" src-address-list=\
    Syn_Flooder
add action=drop chain=forward comment="DROP traffico da Mamma a Base" \
    dst-address-list=net_base src-address-list=net_mamma
add action=drop chain=forward comment="DROP traffico da Mamma a Casa" \
    dst-address-list=net_casa src-address-list=net_mamma
add action=drop chain=forward comment="DROP traffico da Mamma a Domus" \
    dst-address-list=net_domus src-address-list=net_mamma
add action=drop chain=forward comment="DROP traffico da Mamma a Guest" \
    dst-address-list=net_guest src-address-list=net_mamma
add action=drop chain=forward comment="DROP traffico da Guest a Base" \
    dst-address-list=net_base src-address-list=net_guest
add action=drop chain=forward comment="DROP traffico da Guest a Casa" \
    dst-address-list=net_casa src-address-list=net_guest
add action=drop chain=forward comment="DROP traffico da Guest a Domus" \
    dst-address-list=net_domus src-address-list=net_guest
add action=drop chain=forward comment="DROP traffico da Guest a Mamma" \
    dst-address-list=net_mamma src-address-list=net_guest
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=\
    tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=\
    Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP \
    protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except to \
    support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT\
    \_ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the www - except to sup\
    port list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT AD\
    DRESS LIST" dst-port=80 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the www-ssl - except to\
    \_support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPO\
    RT ADDRESS LIST" dst-port=443 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the telnet - except to \
    support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT\
    \_ADDRESS LIST" dst-port=23 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the ssh - except to sup\
    port list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT AD\
    DRESS LIST" dst-port=22 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the ftp- except to supp\
    ort list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADD\
    RESS LIST" dst-port=21 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the api-ssl - except to\
    \_support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPO\
    RT ADDRESS LIST" dst-port=8729 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the api - except to sup\
    port list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT AD\
    DRESS LIST" dst-port=8728 protocol=tcp src-address-list=!net_casa
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=\
    ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=\
    3h chain=forward comment="Add Spammers to the list for 3 hours" \
    connection-limit=30,32 dst-port=25,587 limit=30/1m,0:packet protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
    connection-state=established
add action=accept chain=input comment="Accept to related connections" \
    connection-state=related
add action=accept chain=input comment="Full access to net_casa address list" \
    src-address-list=net_casa
add action=accept chain=input comment="Full access to net_mamma address list" \
    log=yes src-address-list=net_mamma
add action=accept chain=input comment="Full access to net_guest address list" \
    log=yes src-address-list=net_guest
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RU\
    LE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" log-prefix=DROP!!
add action=accept chain=ICMP comment=\
    "Echo request - Avoiding Ping Flood, adjust the limit as needed" \
    icmp-options=8:0 limit=2,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add action=drop chain=input comment="Block all access to the ssh - except to sup\
    port list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT AD\
    DRESS LIST" dst-port=22 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the ftp - except to sup\
    port list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT AD\
    DRESS LIST" dst-port=21 protocol=tcp src-address-list=!net_casa

mkx · Thu Nov 09, 2023 12:30 pm

If you try to access PiHole web interface by connecting to that IP address explicitly and you don't get the expected behaviour, then this has nothing to do with dst-nat, it has either something to do with routing or config on PiHole device itself.

So post full config of your router to see if it's the former.

Kataius · Mon Nov 13, 2023 7:58 pm

Thanks for the reply, sorry for replying so late, but I had personal problems. Here is the complete setup, thanks

The goal is to redirect all clients to the pihole (even if they have manually set DNS or are hard bind). If I set the DNS to, for example: 8.8.8.8 it bypasses the pihole.

While doing tests I noticed that it doesn't forward anything, for example if I put the IP 192.168.55.55 in the browser I connect to the pihole, but with that rule I should connect to it even if I put the IP 192.168.0.8 in the browser

# model = RB5009UG+S+
/container mounts
add dst=/opt/list name=list_pihole src=/usb1-part1/container_pihole/list
add dst=/etc/pihole name=etc_pihole src=/usb1-part1/container_pihole/etc
add dst=/etc/dnsmasq.d name=dnsmasq_pihole src=\
    /usb1-part1/container_pihole/dnsmasq
add dst=/etc/cron.d name=crono_pihole src=/usb1-part1/container_pihole/crono
/disk
set usb1 type=hardware
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
    "500 107 861 504" type=partition
/interface bridge
add comment=Capsman name=BR-Capsman vlan-filtering=yes
/interface veth
add address=192.168.55.55/25,2001:470:8248:2d:c086:31ff:fe24:851a/64 gateway=\
    192.168.55.1 gateway6=2001:470:8248:2d::e name=veth1
/interface vlan
add comment=Casa interface=BR-Capsman name=100-Casa vlan-id=100
add comment=Mamma interface=BR-Capsman name=200-Mamma vlan-id=200
add comment=Guests interface=BR-Capsman name=300-Guest vlan-id=300
add comment=Domus interface=BR-Capsman name=400-Domus vlan-id=400
add comment=Control interface=BR-Capsman name=900-Control vlan-id=900
add comment=WAN interface=ether1 name=xxx.xxx.xxx.xxx-vlan vlan-id=xxx
/interface pppoe-client
add add-default-route=yes disabled=no interface=xxx.xxx.xxx.xxx-vlan max-mru=xxx \
    max-mtu=xxx name=xxx-pppoe use-peer-dns=yes user=xxx
/interface list
add name=WAN
add name=LAN
/interface wifiwave2 channel
add disabled=no frequency=2452 name=silent width=20/40mhz-eC
add disabled=no name=guest
add band=5ghz-ax disabled=no frequency=5200 name=home5ghz skip-dfs-channels=\
    all
add band=2ghz-ax disabled=no frequency=2437 name=channel6_main
add disabled=no name=service2ghz
add disabled=no name=service5ghz
add band=2ghz-ax disabled=no frequency=2412 name=channel1
add band=2ghz-ax disabled=no frequency=2462 name=channel11
/interface wifiwave2 datapath
add bridge=BR-Capsman disabled=no name=Wifi_Mamma vlan-id=200
add bridge=BR-Capsman disabled=no name=Wifi_Guest vlan-id=300
add bridge=BR-Capsman disabled=no name=Wifi_Casa vlan-id=100
add bridge=BR-Capsman disabled=no name=Wifi_Domus vlan-id=400
/interface wifiwave2 security
add authentication-types=wpa2-psk disabled=no name=home
add authentication-types=wpa2-psk disabled=no name=guest
add authentication-types=wpa2-psk disabled=no name=silent
add authentication-types=wpa2-psk disabled=no name=srv
add authentication-types=wpa2-psk disabled=no name=service
/interface wifiwave2 configuration
add antenna-gain=2 channel=guest country=Italy datapath=Wifi_Guest disabled=\
    yes name=guest security=guest ssid=Clochard
add channel=silent country=Italy datapath=Wifi_Mamma disabled=no hide-ssid=\
    yes name=silent security=silent ssid=silent
add channel=home5ghz country=Italy datapath=Wifi_Casa disabled=no name=\
    home5ghz security=home ssid=HyperLimitless
add antenna-gain=3 channel=channel1 country=Italy datapath=Wifi_Casa \
    disabled=no name=studio_2ghz security=home ssid=HyperLimitless
add channel=service2ghz country=Italy datapath=Wifi_Casa disabled=no \
    hide-ssid=no name=srv2ghz security=srv ssid=Limitless2G
add antenna-gain=3 channel=channel11 country=Italy datapath=Wifi_Casa \
    disabled=no name=centro_2ghz security=home ssid=HyperLimitless
add antenna-gain=1 channel=channel6_main country=Italy datapath=Wifi_Casa \
    disabled=no name=server_2ghz security=home ssid=HyperLimitless
add antenna-gain=4 channel=channel1 country=Italy datapath=Wifi_Casa \
    disabled=no name=taverna_2ghz security=home ssid=HyperLimitless
add antenna-gain=3 channel=channel11 country=Italy datapath=Wifi_Casa \
    disabled=no name=esterno_2ghz security=home ssid=HyperLimitless
add channel=service2ghz country=Italy datapath=Wifi_Domus disabled=no \
    hide-ssid=no mode=ap name=service2G security=service ssid=LimitService2G
add channel=service5ghz country=Italy datapath=Wifi_Domus disabled=no \
    hide-ssid=yes mode=ap name=service5G security=service ssid=LimitService5G
/ip kid-control
add disabled=yes fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d \
    thu=0s-1d tue=0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=\
    0s-1d tur-thu=0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=CasaPool ranges=192.168.0.100-192.168.0.200
add name=MammaPool ranges=10.255.255.100-10.255.255.200
add name=GuestsPool ranges=172.16.0.2-172.16.15.254
add name=ControlPool ranges=10.10.0.2-10.10.0.254
add name=DomusPool ranges=192.168.240.2-192.168.240.254
/ip dhcp-server
add add-arp=yes address-pool=CasaPool interface=100-Casa lease-script="# When \
    \"1\" all DNS entries with IP address of DHCP lease are removed\r\
    \n:local dnsRemoveAllByIp \"1\"\r\
    \n# When \"1\" all DNS entries with hostname of DHCP lease are removed\r\
    \n:local dnsRemoveAllByName \"1\"\r\
    \n# When \"1\" addition and removal of DNS entries is always done also for\
    \_non-FQDN hostname\r\
    \n:local dnsAlwaysNonfqdn \"1\"\r\
    \n# DNS domain to add after DHCP client hostname\r\
    \n:local dnsDomain \"lan\"\r\
    \n# DNS TTL to set for DNS entries\r\
    \n:local dnsTtl \"00:15:00\"\r\
    \n# Source of DHCP client hostname, can be \"lease-hostname\" or any other\
    \_lease attribute, like \"host-name\" or \"comment\"\r\
    \n:local leaseClientHostnameSource \"comment\"\r\
    \n\r\
    \n:local leaseComment \"dhcp-lease-script_\$leaseServerName_\$leaseClientH\
    ostnameSource\"\r\
    \n:local leaseClientHostname\r\
    \n:if (\$leaseClientHostnameSource = \"lease-hostname\") do={\r\
    \n  :set leaseClientHostname \$\"lease-hostname\"\r\
    \n} else={\r\
    \n  :set leaseClientHostname ([:pick \\\r\
    \n    [/ip dhcp-server lease print as-value where server=\"\$leaseServerNa\
    me\" address=\"\$leaseActIP\" mac-address=\"\$leaseActMAC\"] \\\r\
    \n    0]->\"\$leaseClientHostnameSource\")\r\
    \n}\r\
    \n:local leaseClientHostnameShort \"\$leaseClientHostname\"\r\
    \n:local leaseClientHostnames \"\$leaseClientHostname\"\r\
    \n:if ([:len [\$dnsDomain]] > 0) do={\r\
    \n  :set leaseClientHostname \"\$leaseClientHostname.\$dnsDomain\"\r\
    \n  :if (\$dnsAlwaysNonfqdn = \"1\") do={\r\
    \n    :set leaseClientHostnames \"\$leaseClientHostname,\$leaseClientHostn\
    ameShort\"\r\
    \n  }\r\
    \n}\r\
    \n:if (\$dnsRemoveAllByIp = \"1\") do={\r\
    \n  /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" \
    and address=\"\$leaseActIP\"]\r\
    \n}\r\
    \n:foreach h in=[:toarray value=\"\$leaseClientHostnames\"] do={\r\
    \n  :if (\$dnsRemoveAllByName = \"1\") do={\r\
    \n    /ip dns static remove [/ip dns static find comment=\"\$leaseComment\
    \" and name=\"\$h\"]\r\
    \n  }\r\
    \n  /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" \
    and address=\"\$leaseActIP\" and name=\"\$h\"]\r\
    \n  :if (\$leaseBound = \"1\") do={\r\
    \n    :delay 1\r\
    \n    /ip dns static add comment=\"\$leaseComment\" address=\"\$leaseActIP\
    \" name=\"\$h\" ttl=\"\$dnsTtl\"\r\
    \n  }\r\
    \n}" lease-time=1d name=Casa_dhcp
add add-arp=yes address-pool=MammaPool bootp-support=none interface=200-Mamma \
    lease-time=1d name=Mamma_dchp relay=10.255.254.2 server-address=\
    10.255.254.1
add add-arp=yes address-pool=GuestsPool interface=300-Guest lease-time=12h \
    name=Guests_dhcp
add add-arp=yes address-pool=ControlPool disabled=yes interface=BR-Capsman \
    lease-time=1w name=Control_dhcp
add add-arp=yes address-pool=DomusPool interface=400-Domus lease-script="# Whe\
    n \"1\" all DNS entries with IP address of DHCP lease are removed\r\
    \n:local dnsRemoveAllByIp \"1\"\r\
    \n# When \"1\" all DNS entries with hostname of DHCP lease are removed\r\
    \n:local dnsRemoveAllByName \"1\"\r\
    \n# When \"1\" addition and removal of DNS entries is always done also for\
    \_non-FQDN hostname\r\
    \n:local dnsAlwaysNonfqdn \"1\"\r\
    \n# DNS domain to add after DHCP client hostname\r\
    \n:local dnsDomain \"lan\"\r\
    \n# DNS TTL to set for DNS entries\r\
    \n:local dnsTtl \"00:15:00\"\r\
    \n# Source of DHCP client hostname, can be \"lease-hostname\" or any other\
    \_lease attribute, like \"host-name\" or \"comment\"\r\
    \n:local leaseClientHostnameSource \"comment\"\r\
    \n\r\
    \n:local leaseComment \"dhcp-lease-script_\$leaseServerName_\$leaseClientH\
    ostnameSource\"\r\
    \n:local leaseClientHostname\r\
    \n:if (\$leaseClientHostnameSource = \"lease-hostname\") do={\r\
    \n  :set leaseClientHostname \$\"lease-hostname\"\r\
    \n} else={\r\
    \n  :set leaseClientHostname ([:pick \\\r\
    \n    [/ip dhcp-server lease print as-value where server=\"\$leaseServerNa\
    me\" address=\"\$leaseActIP\" mac-address=\"\$leaseActMAC\"] \\\r\
    \n    0]->\"\$leaseClientHostnameSource\")\r\
    \n}\r\
    \n:local leaseClientHostnameShort \"\$leaseClientHostname\"\r\
    \n:local leaseClientHostnames \"\$leaseClientHostname\"\r\
    \n:if ([:len [\$dnsDomain]] > 0) do={\r\
    \n  :set leaseClientHostname \"\$leaseClientHostname.\$dnsDomain\"\r\
    \n  :if (\$dnsAlwaysNonfqdn = \"1\") do={\r\
    \n    :set leaseClientHostnames \"\$leaseClientHostname,\$leaseClientHostn\
    ameShort\"\r\
    \n  }\r\
    \n}\r\
    \n:if (\$dnsRemoveAllByIp = \"1\") do={\r\
    \n  /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" \
    and address=\"\$leaseActIP\"]\r\
    \n}\r\
    \n:foreach h in=[:toarray value=\"\$leaseClientHostnames\"] do={\r\
    \n  :if (\$dnsRemoveAllByName = \"1\") do={\r\
    \n    /ip dns static remove [/ip dns static find comment=\"\$leaseComment\
    \" and name=\"\$h\"]\r\
    \n  }\r\
    \n  /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" \
    and address=\"\$leaseActIP\" and name=\"\$h\"]\r\
    \n  :if (\$leaseBound = \"1\") do={\r\
    \n    :delay 1\r\
    \n    /ip dns static add comment=\"\$leaseComment\" address=\"\$leaseActIP\
    \" name=\"\$h\" ttl=\"\$dnsTtl\"\r\
    \n  }\r\
    \n}" lease-time=1w name=Domus_dhcp
/container
add envlist=pihole_envs interface=veth1 mounts=\
    list_pihole,etc_pihole,dnsmasq_pihole,crono_pihole root-dir=\
    usb1-part1/pihole start-on-boot=yes
/container config
set registry-url=https://registry-1.docker.io tmpdir=usb1-part1/pull
/container envs
add key=TZ name=pihole_envs value=Europe/Rome
add key=WEBPASSWORD name=pihole_envs value="xxxxxxxxxxxx"
add key=DNSMASQ_USER name=pihole_envs value=xxx
add key=SERVERIP name=pihole_envs value=192.168.55.55
/interface bridge port
add bridge=BR-Capsman interface=veth1
add bridge=BR-Capsman interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes forward=no
/interface bridge vlan
add bridge=BR-Capsman comment="Mamma VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
    vlan-ids=200
add bridge=BR-Capsman comment="Guest VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
    vlan-ids=300
add bridge=BR-Capsman comment="Casa VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
    vlan-ids=100
add bridge=BR-Capsman comment="Domus VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
    vlan-ids=400
/interface list member
add interface=xxxxxxxxxxxx-pppoe list=WAN
add interface=BR-Capsman list=LAN
add interface=xxxxxxxxxxxx-vlan list=WAN
add interface=200-Mamma list=LAN
add interface=300-Guest list=LAN
add interface=100-Casa list=LAN
add interface=400-Domus list=LAN
/interface wifiwave2 capsman
set enabled=yes interfaces=BR-Capsman package-path="" \
    require-peer-certificate=no upgrade-policy=none
/interface wifiwave2 provisioning
add action=create-dynamic-enabled disabled=no master-configuration=\
    studio_2ghz name-format="" radio-mac=48:A9:8A:0E:03:52 \
    slave-configurations=guest,srv2ghz,service2G
add action=create-dynamic-enabled disabled=no master-configuration=home5ghz \
    name-format="" radio-mac=48:A9:8A:0E:06:A8 slave-configurations=\
    guest,service5G
add action=create-dynamic-enabled disabled=no master-configuration=home5ghz \
    name-format="" radio-mac=48:A9:8A:0E:09:5D slave-configurations=\
    guest,service5G
add action=create-dynamic-enabled disabled=no master-configuration=home5ghz \
    name-format="" radio-mac=48:A9:8A:BC:A5:24 slave-configurations=service5G
add action=create-dynamic-enabled disabled=no master-configuration=home5ghz \
    name-format="" radio-mac=48:A9:8A:0E:06:47 slave-configurations=\
    guest,service5G
add action=create-dynamic-enabled disabled=no master-configuration=\
    esterno_2ghz name-format="" radio-mac=48:A9:8A:0E:09:5E \
    slave-configurations=guest,srv2ghz,service2G
add action=create-dynamic-enabled disabled=no master-configuration=\
    server_2ghz name-format="" radio-mac=48:A9:8A:BC:A5:25 \
    slave-configurations=silent,srv2ghz,service2G
add action=create-dynamic-enabled disabled=no master-configuration=home5ghz \
    name-format="" radio-mac=48:A9:8A:0E:03:51 slave-configurations=\
    guest,service5G
add action=create-dynamic-enabled disabled=no master-configuration=\
    taverna_2ghz name-format="" radio-mac=48:A9:8A:0E:06:48 \
    slave-configurations=guest,srv2ghz,service2G
add action=create-dynamic-enabled disabled=no master-configuration=\
    centro_2ghz name-format="" radio-mac=48:A9:8A:0E:06:A9 \
    slave-configurations=guest,service2G
/ip address
add address=192.168.0.1/24 interface=100-Casa network=192.168.0.0
add address=172.16.0.1/20 interface=300-Guest network=172.16.0.0
add address=10.255.254.1/24 interface=200-Mamma network=10.255.254.0
add address=10.10.0.1/24 interface=BR-Capsman network=10.10.0.0
add address=192.168.240.1/24 interface=400-Domus network=192.168.240.0
add address=192.168.55.1/25 interface=veth1 network=192.168.55.0
/ip cloud
/ip dhcp-server lease
/ip dhcp-server network
add address=10.255.255.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.255.255.1 \
    netmask=24
add address=172.16.0.0/20 dns-server=1.1.1.3,1.0.0.3 gateway=172.16.0.1 \
    netmask=20
add address=192.168.0.0/24 dns-server=192.168.55.55 gateway=192.168.0.1 \
    netmask=24
add address=192.168.240.0/24 dns-server=192.168.55.55 gateway=192.168.240.1 \
    netmask=24
/ip dns
set cache-max-ttl=1m
/ip dns static
/ip firewall address-list
add address=192.168.0.0/24 comment="Casa NET" list=net_casa
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    list=bogons
add address=xxx.xxx.xxx.xxx list=WAN
add address=10.255.255.0/24 comment="Mamma NET" list=net_mamma
add address=172.16.0.0/20 comment="Guest NET" list=net_guest
add address=10.255.255.0/24 comment="Excluded from PiHole" list=excluded
add address=172.16.0.0/20 comment="Excluded from PiHole" list=excluded
add address=192.168.55.55 comment="Excluded from PiHole" list=excluded
add address=192.168.240.0/24 comment="Domus NET" list=net_domus
add address=10.10.0.0/24 comment="Base NET" list=net_base
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=input comment="PiHole See" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="PiHole See" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=accept chain=forward comment="PiHole See" dst-address=\
    192.168.55.55 in-interface-list=LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Fast-Forward\r\
    \n" connection-state=established,related disabled=yes
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
    src-address-list=Syn_Flooder
add action=drop chain=forward comment="DROP traffico da Mamma a Base" \
    dst-address-list=net_base src-address-list=net_mamma
add action=drop chain=forward comment="DROP traffico da Mamma a Casa" \
    dst-address-list=net_casa src-address-list=net_mamma
add action=drop chain=forward comment="DROP traffico da Mamma a Domus" \
    dst-address-list=net_domus src-address-list=net_mamma
add action=drop chain=forward comment="DROP traffico da Mamma a Guest" \
    dst-address-list=net_guest src-address-list=net_mamma
add action=drop chain=forward comment="DROP traffico da Guest a Base" \
    dst-address-list=net_base src-address-list=net_guest
add action=drop chain=forward comment="DROP traffico da Guest a Casa" \
    dst-address-list=net_casa src-address-list=net_guest
add action=drop chain=forward comment="DROP traffico da Guest a Domus" \
    dst-address-list=net_domus src-address-list=net_guest
add action=drop chain=forward comment="DROP traffico da Guest a Mamma" \
    dst-address-list=net_mamma src-address-list=net_guest
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
    ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
    o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
    PORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the www - except to s\
    upport list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPOR\
    T ADDRESS LIST" dst-port=80 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the www-ssl - except \
    to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SU\
    PPORT ADDRESS LIST" dst-port=443 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the telnet - except t\
    o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
    PORT ADDRESS LIST" dst-port=23 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the ssh - except to s\
    upport list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPOR\
    T ADDRESS LIST" dst-port=22 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the ftp- except to su\
    pport list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT\
    \_ADDRESS LIST" dst-port=21 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the api-ssl - except \
    to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SU\
    PPORT ADDRESS LIST" dst-port=8729 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the api - except to s\
    upport list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPOR\
    T ADDRESS LIST" dst-port=8728 protocol=tcp src-address-list=!net_casa
add action=jump chain=forward comment="Jump for icmp forward flow" \
    jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons
add action=add-src-to-address-list address-list=spammers \
    address-list-timeout=3h chain=forward comment=\
    "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
    25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
    connection-state=established
add action=accept chain=input comment="Accept to related connections" \
    connection-state=related
add action=accept chain=input comment="Full access to net_casa address list" \
    src-address-list=net_casa
add action=accept chain=input comment="Full access to net_mamma address list" \
    log=yes src-address-list=net_mamma
add action=accept chain=input comment="Full access to net_guest address list" \
    log=yes src-address-list=net_guest
add action=accept chain=input comment="Full access to net_domus address list" \
    log=yes src-address-list=net_domus
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
    RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" log-prefix=\
    DROP!!
add action=accept chain=ICMP comment=\
    "Echo request - Avoiding Ping Flood, adjust the limit as needed" \
    icmp-options=8:0 limit=2,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add action=drop chain=input comment="Block all access to the ssh - except to s\
    upport list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPOR\
    T ADDRESS LIST" dst-port=22 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the ftp - except to s\
    upport list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPOR\
    T ADDRESS LIST" dst-port=21 protocol=tcp src-address-list=!net_casa
/ip firewall nat
add action=dst-nat chain=dst-nat comment="PiHole Access" dst-address=\
    192.168.0.8 dst-port=80 protocol=tcp to-addresses=192.168.55.55 to-ports=\
    80
add action=dst-nat chain=dstnat comment="Pihole See" dst-port=53 \
    in-interface-list=LAN protocol=udp src-address-list=!excluded \
    to-addresses=192.168.55.55
add action=dst-nat chain=dstnat comment="Pihole See" dst-port=53 \
    in-interface-list=LAN protocol=tcp src-address-list=!excluded \
    to-addresses=192.168.55.55
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
    192.168.240.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
    192.168.0.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
    10.255.255.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
    172.16.0.0/20
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
    192.168.55.0/25
add action=dst-nat chain=dstnat comment="HARPING NAT" dst-address-list=WAN \
    dst-port=xxx protocol=tcp to-addresses=xxx.xxx.xxx.xxx to-ports=xxx
add action=dst-nat chain=dstnat comment="Port Online: HASSIO" dst-port=xxx \
    in-interface=xxx-pppoe protocol=tcp to-addresses=xxx.xxx.xxx.xxx \
    to-ports=xxx
add action=dst-nat chain=dstnat comment="Port Online: SteamOS" dst-port=xxx \
    in-interface=xxx-pppoe protocol=udp to-addresses=xxx.xxx.xxx.xxx \
    to-ports=xxx
add action=dst-nat chain=dstnat comment="Port Online: INVERTERT MAMMA" \
    dst-port=xxx in-interface=xxx-pppoe protocol=tcp to-addresses=\
    xxx.xxx.xxx.xxx to-ports=xxx
add action=dst-nat chain=dstnat comment="Port Online: RING" dst-port=xxx \
    in-interface=xxx-pppoe protocol=tcp to-addresses=xxx.xxx.xxx.xxx \
    to-ports=xxx
add action=dst-nat chain=dstnat comment="Port Online:Transmission TCP" \
    dst-port=xxx in-interface=xxx-pppoe protocol=tcp to-addresses=\
    xxx.xxx.xxx.xxx to-ports=xxx
add action=dst-nat chain=dstnat comment="Port Online:Transmission UDP" \
    dst-port=xxx in-interface=xxx-pppoe protocol=udp to-addresses=\
    xxx.xxx.xxx.xxx to-ports=xxx
add action=dst-nat chain=dstnat comment="Port Online:aMule TCP" dst-port=xxx \
    in-interface=xxx-pppoe protocol=tcp to-addresses=xxx.xxx.xxx.xxx \
    to-ports=xxx
add action=dst-nat chain=dstnat comment="Port Online:aMule UDP" dst-port=xxx \
    in-interface=xxx-pppoe protocol=udp to-addresses=xxx.xxx.xxx.xxx \
    to-ports=xxx
/ip firewall service-port
set ftp disabled=yes
set h323 disabled=yes
set pptp disabled=yes
/ip route
add disabled=no dst-address=10.255.255.0/24 gateway=10.255.254.2 \
    routing-table=main suppress-hw-offload=no
add disabled=no dst-address=10.255.255.0/24 gateway=10.255.254.2 \
    routing-table=main suppress-hw-offload=no
add disabled=no dst-address=10.255.255.0/24 gateway=10.255.254.2 \
    routing-table=main suppress-hw-offload=no
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=xxx-pppoe type=external
add interface=BR-Capsman type=internal
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=RB-Router
/system logging
set 2 disabled=yes
add action=echo disabled=yes topics=dhcp
add action=echo disabled=yes topics=dhcp
add disabled=yes topics=wireless
add action=echo disabled=yes topics=wireless
add action=remote disabled=yes topics=wireless
add prefix=dhcp topics=debug
add prefix=wireless topics=debug
add disabled=yes topics=wireless,debug
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes local-clock-stratum=1 manycast=yes use-local-clock=yes
/system ntp client servers
add address=0.it.pool.ntp.org
add address=1.it.pool.ntp.org
add address=2.it.pool.ntp.org
add address=3.it.pool.ntp.org

anav · Mon Nov 13, 2023 8:51 pm

(1) Only see two subnets being directed to the pi (veth)...... so the rest are not supposed to is that correct??
add address=192.168.0.0/24 dns-server=192.168.55.55 gateway=192.168.0.1 \
netmask=24
add address=192.168.240.0/24 dns-server=192.168.55.55 gateway=192.168.240.1 \
netmask=24

(2) Allow to Pi server exists in forward rules, check!

(3) Your forward chain rules could be much simplified. First order it properly, the first rule ( pi forwarding should be after the default rules).
More specifically make last rule DROP all else and only permit allowed traffic.
ex....
Yikes you have more input chain rules after forward rules, how disorganized.. and BLOATED with crap..
for example if you have a rule that says block all not from LAN, then why do you need any further in-interface-list=LAN rules ???????

I agree with however being picky and only allowing lan users to DNS services or other required services and not allowing access to config the router, That would be logical and good security practice.
So you do need at least one firewall address list... and one input rule add action=accept chain=input src-address-list=Admin Which are the IPs static leases or remote wg IP for ex.
I see you already have a trusted subnet which you call net_casa.
I prefer to put trusted subnet in its own interface list called trusted.
IP neigbhours discovery also references this interface list
IP mac-server max-winbox also reference this interface list

Read the below rules and you see how clear each rule is.
No other traffic is permitted and thus its very clean.
(added port 123 - NTP, to udp for services available to LAN)
...............

/ip firewall address-list
add address=192.168.0.024 list=net_casa  comment="Trusted Subnet"
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input  src-address-list=net_casa  comment="ONLY allow trusted subnet full access to router services"
add action=accept chain=input comment="PiHole See" dst-port=53,123 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="PiHole See" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="DROP ALL ELSE"  { put this rule in last to ensure you dont lock yourself out }
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow access to PiHOLE if required" dst-address=\
    192.168.55.55 in-interface-list=LAN
add action=accept  chain=forward in-interface-list=LAN out-interface-list=WAN comment="internet traffic"
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat  { disable if not required }
add action=drop chain=forward comment="DROP ALL ELSE"

(4) NOW looking at NAT rules

Dont understand the dstnat rule for pihole trafic to go to 192.168.0.8 to be directed to 192.168.55.0
For example this would negate all your firewall rules pointing to 192.168.55.0 ??????????????????????

/ip firewall nat
add action=dst-nat chain=dst-nat comment="PiHole Access" dst-address=\
192.168.0.8 dst-port=80 protocol=tcp to-addresses=192.168.55.55 to-ports=\
80

The pihole direct type rules look good!

What is the purpose of having all the sourcenat rules for every subnet out for WAN....................??
IS there one particular subnet that should have no WAN access ?? NAT rules is not the proper place to enforce traffic rules its in the FW rules!!!
Only need one rule.
add chain=srcnat action=masquerade out-interface-list=WAN

EDIT: Okay so you dont want the Control network to go out internet
so modify fw internet chain rule as such.....
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN src-address=!10.10.0.0/24 comment="internet traffic"

(5) HAIRPIN, not required unless you had other users on the 192.168.55.0 subnet where the pi server resides

(6) Format for dstnat rules seems to be okay, assuming this is for external users only???

(7) Should be set to trusted subnet and thus associated interface list, where all smart devices also get their IP from .......switches APs etc... ( not all )
/ip neighbor discovery-settings
set discover-interface-list=all

/interface list member
add interface=xxxxxxxxxxxx-pppoe list=WAN
add interface=BR-Capsman list=LAN
add interface=xxxxxxxxxxxx-vlan list=WAN
add interface=200-Mamma list=LAN
add interface=300-Guest list=LAN
add interface=100-Casa list=LAN
add interface=400-Domus list=LAN
add interface=100-casa list=TRUSTED

(8) To be used here as well... add them as no entry implies all are allowed - poor security
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

(9) if not using iPV6 disable it remove all rules except
add chain=input action=drop
add chain=forward action=drop

Kataius · Tue Nov 14, 2023 3:55 pm

First of all, thank you very much for the explanation and help.

I fixed the firewall as you recommended but I still have some problems:

1) If I set the DNS to 8.8.8.8 or 1.1.1.1 on my PC, table, phone, etc. It bypasses my pihole

2) I added these two forward chain rules but they don't work:

add action=accept chain=forward comment="allow access to Domus-Server" \
    dst-address=192.168.240.10 src-address-list=net_casa
add action=accept chain=forward comment="allow Plex to Domus" dst-address=\
    192.168.0.10 dst-address-list="" dst-port=32400 protocol=tcp \
    src-address-list=net_domus

3)

add interface=100-home list=TRUSTED

It's not possible to do, it only leaves me WAN or LAN, can you explain better how to do it? (os 7.12)

4) Did I set the interfaces correctly?

/interface list
add name=WAN
add name=LAN
/interface list member
add interface=xxx-pppoe list=WAN
add interface=BR-Capsman list=LAN
add interface=xxxppoe-vlan list=WAN
add interface=200-Mamma list=LAN
add interface=300-Guest list=LAN
add interface=100-Home list=LAN
add interface=400-Domus list=LAN
add interface=900-Control list=LAN

--------------------------------------------

Firewall:

/ip firewall address-list
add address=192.168.0.0/24 comment="Casa NET" list=net_casa
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" list=\
    bogons
add address=xxx disabled=yes list=PublicIP
add address=10.255.255.0/24 comment="Mamma NET" list=net_mamma
add address=172.16.0.0/20 comment="Guest NET" list=net_guest
add address=10.255.255.0/24 comment="Excluded from PiHole" list=excluded
add address=172.16.0.0/20 comment="Excluded from PiHole" list=excluded
add address=192.168.55.55 comment="Excluded from PiHole" list=excluded
add address=192.168.240.0/24 comment="Domus NET" list=net_domus
add address=10.10.0.0/24 comment="Base NET" list=net_base
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
    "ONLY allow trusted subnet full access to router services" \
    src-address-list=net_casa
add action=accept chain=input comment="PiHole See" dst-port=53,123 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="PiHole See" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=forward comment="allow access to PiHOLE" dst-address=\
    192.168.55.55 in-interface-list=LAN
add action=accept chain=forward comment="allow access to Domus-Server" \
    dst-address=192.168.240.10 src-address-list=net_casa
add action=accept chain=forward comment="allow Plex to Domus" dst-address=\
    192.168.0.10 dst-port=32400 protocol=tcp \
    src-address-list=net_domus
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=\
    dstnat
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" \
    connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" src-address-list=\
    Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=\
    tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=\
    Port_Scanner
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=\
    3h chain=forward comment="Add Spammers to the list for 3 hours" \
    connection-limit=30,32 dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add action=drop chain=forward comment="DROP ALL ELSE"
add action=drop chain=input comment="DROP ALL ELSE"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN src-address=!10.10.0.0/24
add action=dst-nat chain=dstnat comment="Pihole" dst-port=53 \
    in-interface-list=LAN protocol=udp src-address-list=!excluded to-addresses=\
    192.168.55.55
add action=dst-nat chain=dstnat comment="Pihole" dst-port=53 \
    in-interface-list=LAN protocol=tcp src-address-list=!excluded to-addresses=\
    192.168.55.55
add action=dst-nat chain=dstnat comment="Port Online: INVERTERT MAMMA" \
    dst-port=yyy in-interface=xxx-pppoe protocol=tcp to-addresses=\
    xxx.xxx.xxx.xxx to-ports=yyy
/ip firewall service-port
set ftp disabled=yes
set h323 disabled=yes
set pptp disabled=yes

Thank you

anav · Tue Nov 14, 2023 4:21 pm

You need to create the interface list...... a bit tricky but select INTERFACES in winbox, then SELECT TAB "Interface List"
Below this Select the word lists ( on the same line as the + symbol )

You should get a popup that allows you to add a list.
Hit the + symbol to add:
Enter in name TRUSTED then select APPLY and OK............. done.

Now it will be an available list to put interface list members on....

anav · Tue Nov 14, 2023 4:42 pm

I only comment on full config not snippets

Kataius · Tue Nov 14, 2023 4:59 pm

Thanks for the reply. I'll post the complete configuration right away. Thank you very much

# 2023-11-14 15:49:54 by RouterOS 7.12
# model = RB5009UG+S+

/container mounts
add dst=/opt/list name=list_pihole src=/usb1-part1/container_pihole/list
add dst=/etc/pihole name=etc_pihole src=/usb1-part1/container_pihole/etc
add dst=/etc/dnsmasq.d name=dnsmasq_pihole src=\
    /usb1-part1/container_pihole/dnsmasq
add dst=/etc/cron.d name=crono_pihole src=/usb1-part1/container_pihole/crono
/disk
set usb1 type=hardware
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
    "500 107 861 504" type=partition
/interface bridge
add comment=Capsman name=BR-Capsman vlan-filtering=yes
/interface veth
add address=192.168.55.55/25,2001:470:8248:2d:c086:31ff:fe24:851a/64 gateway=\
    192.168.55.1 gateway6=2001:470:8248:2d::e name=veth1
/interface vlan
add comment=Casa interface=BR-Capsman name=100-Casa vlan-id=100
add comment=Mamma interface=BR-Capsman name=200-Mamma vlan-id=200
add comment=Guests interface=BR-Capsman name=300-Guest vlan-id=300
add comment=Domus interface=BR-Capsman name=400-Domus vlan-id=400
add comment=Control interface=BR-Capsman name=900-Control vlan-id=900
add comment=WAN interface=ether1 name=xxx-vlan vlan-id=xxx
/interface pppoe-client
add add-default-route=yes disabled=no interface=yyy-vlan max-mru=1480 \
    max-mtu=1480 name=yyy-pppoe use-peer-dns=yes user=zzz
/interface list
add name=WAN
add name=LAN
add name=TRUSTED
/interface wifiwave2 channel
add disabled=no frequency=2452 name=silent width=20/40mhz-eC
add disabled=no name=guest
add band=5ghz-ax disabled=no name=home5ghz skip-dfs-channels=all
add band=2ghz-ax disabled=no frequency=2437 name=channel6_main
add disabled=no name=service2ghz
add disabled=no name=service5ghz
add band=2ghz-ax disabled=no frequency=2412 name=channel1
add band=2ghz-ax disabled=no frequency=2462 name=channel11
/interface wifiwave2 datapath
add bridge=BR-Capsman disabled=no name=Wifi_Mamma vlan-id=200
add bridge=BR-Capsman disabled=no name=Wifi_Guest vlan-id=300
add bridge=BR-Capsman disabled=no name=Wifi_Casa vlan-id=100
add bridge=BR-Capsman disabled=no name=Wifi_Domus vlan-id=400
/interface wifiwave2 security
add authentication-types=wpa2-psk disabled=no name=home
add authentication-types=wpa2-psk disabled=no name=guest
add authentication-types=wpa2-psk disabled=no name=silent
add authentication-types=wpa2-psk disabled=no name=srv
add authentication-types=wpa2-psk disabled=no name=service
/interface wifiwave2 configuration
add antenna-gain=2 channel=guest country=Italy datapath=Wifi_Guest disabled=\
    yes name=guest security=guest ssid=Clochard
add channel=silent country=Italy datapath=Wifi_Mamma disabled=no hide-ssid=\
    yes name=silent security=silent ssid=silent
add channel=home5ghz country=Italy datapath=Wifi_Casa disabled=no name=\
    home5ghz security=home ssid=HyperLimitless
add antenna-gain=1 channel=channel1 country=Italy datapath=Wifi_Casa \
    disabled=no name=studio_2ghz security=home ssid=HyperLimitless
add channel=service2ghz country=Italy datapath=Wifi_Casa disabled=no \
    hide-ssid=no name=srv2ghz security=srv ssid=Limitless2G
add antenna-gain=1 channel=channel11 country=Italy datapath=Wifi_Casa \
    disabled=no name=centro_2ghz security=home ssid=HyperLimitless
add antenna-gain=4 channel=channel6_main country=Italy datapath=Wifi_Casa \
    disabled=no name=server_2ghz security=home ssid=HyperLimitless
add antenna-gain=1 channel=channel1 country=Italy datapath=Wifi_Casa \
    disabled=no name=taverna_2ghz security=home ssid=HyperLimitless
add antenna-gain=1 channel=channel11 country=Italy datapath=Wifi_Casa \
    disabled=no name=esterno_2ghz security=home ssid=HyperLimitless
add channel=service2ghz country=Italy datapath=Wifi_Domus disabled=no \
    hide-ssid=no mode=ap name=service2G security=service ssid=LimitService2G
add channel=service5ghz country=Italy datapath=Wifi_Domus disabled=no \
    hide-ssid=yes mode=ap name=service5G security=service ssid=LimitService5G
/ip kid-control
add disabled=yes fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d \
    thu=0s-1d tue=0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=\
    0s-1d tur-thu=0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=CasaPool ranges=192.168.0.100-192.168.0.200
add name=MammaPool ranges=10.255.255.100-10.255.255.200
add name=GuestsPool ranges=172.16.0.2-172.16.15.254
add name=ControlPool ranges=10.10.0.2-10.10.0.254
add name=DomusPool ranges=192.168.240.2-192.168.240.254
/ip dhcp-server
add add-arp=yes address-pool=CasaPool interface=100-Casa lease-script="# When \
    \"1\" all DNS entries with IP address of DHCP lease are removed\r\
    \n:local dnsRemoveAllByIp \"1\"\r\
    \n# When \"1\" all DNS entries with hostname of DHCP lease are removed\r\
    \n:local dnsRemoveAllByName \"1\"\r\
    \n# When \"1\" addition and removal of DNS entries is always done also for\
    \_non-FQDN hostname\r\
    \n:local dnsAlwaysNonfqdn \"1\"\r\
    \n# DNS domain to add after DHCP client hostname\r\
    \n:local dnsDomain \"lan\"\r\
    \n# DNS TTL to set for DNS entries\r\
    \n:local dnsTtl \"00:15:00\"\r\
    \n# Source of DHCP client hostname, can be \"lease-hostname\" or any other\
    \_lease attribute, like \"host-name\" or \"comment\"\r\
    \n:local leaseClientHostnameSource \"comment\"\r\
    \n\r\
    \n:local leaseComment \"dhcp-lease-script_\$leaseServerName_\$leaseClientH\
    ostnameSource\"\r\
    \n:local leaseClientHostname\r\
    \n:if (\$leaseClientHostnameSource = \"lease-hostname\") do={\r\
    \n  :set leaseClientHostname \$\"lease-hostname\"\r\
    \n} else={\r\
    \n  :set leaseClientHostname ([:pick \\\r\
    \n    [/ip dhcp-server lease print as-value where server=\"\$leaseServerNa\
    me\" address=\"\$leaseActIP\" mac-address=\"\$leaseActMAC\"] \\\r\
    \n    0]->\"\$leaseClientHostnameSource\")\r\
    \n}\r\
    \n:local leaseClientHostnameShort \"\$leaseClientHostname\"\r\
    \n:local leaseClientHostnames \"\$leaseClientHostname\"\r\
    \n:if ([:len [\$dnsDomain]] > 0) do={\r\
    \n  :set leaseClientHostname \"\$leaseClientHostname.\$dnsDomain\"\r\
    \n  :if (\$dnsAlwaysNonfqdn = \"1\") do={\r\
    \n    :set leaseClientHostnames \"\$leaseClientHostname,\$leaseClientHostn\
    ameShort\"\r\
    \n  }\r\
    \n}\r\
    \n:if (\$dnsRemoveAllByIp = \"1\") do={\r\
    \n  /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" \
    and address=\"\$leaseActIP\"]\r\
    \n}\r\
    \n:foreach h in=[:toarray value=\"\$leaseClientHostnames\"] do={\r\
    \n  :if (\$dnsRemoveAllByName = \"1\") do={\r\
    \n    /ip dns static remove [/ip dns static find comment=\"\$leaseComment\
    \" and name=\"\$h\"]\r\
    \n  }\r\
    \n  /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" \
    and address=\"\$leaseActIP\" and name=\"\$h\"]\r\
    \n  :if (\$leaseBound = \"1\") do={\r\
    \n    :delay 1\r\
    \n    /ip dns static add comment=\"\$leaseComment\" address=\"\$leaseActIP\
    \" name=\"\$h\" ttl=\"\$dnsTtl\"\r\
    \n  }\r\
    \n}" lease-time=1d name=Casa_dhcp
add add-arp=yes address-pool=MammaPool bootp-support=none interface=200-Mamma \
    lease-time=1d name=Mamma_dchp relay=10.255.254.2 server-address=\
    10.255.254.1
add add-arp=yes address-pool=GuestsPool interface=300-Guest lease-time=12h \
    name=Guests_dhcp
add add-arp=yes address-pool=ControlPool disabled=yes interface=BR-Capsman \
    lease-time=1w name=Control_dhcp
add add-arp=yes address-pool=DomusPool interface=400-Domus lease-script="# Whe\
    n \"1\" all DNS entries with IP address of DHCP lease are removed\r\
    \n:local dnsRemoveAllByIp \"1\"\r\
    \n# When \"1\" all DNS entries with hostname of DHCP lease are removed\r\
    \n:local dnsRemoveAllByName \"1\"\r\
    \n# When \"1\" addition and removal of DNS entries is always done also for\
    \_non-FQDN hostname\r\
    \n:local dnsAlwaysNonfqdn \"1\"\r\
    \n# DNS domain to add after DHCP client hostname\r\
    \n:local dnsDomain \"lan\"\r\
    \n# DNS TTL to set for DNS entries\r\
    \n:local dnsTtl \"00:15:00\"\r\
    \n# Source of DHCP client hostname, can be \"lease-hostname\" or any other\
    \_lease attribute, like \"host-name\" or \"comment\"\r\
    \n:local leaseClientHostnameSource \"comment\"\r\
    \n\r\
    \n:local leaseComment \"dhcp-lease-script_\$leaseServerName_\$leaseClientH\
    ostnameSource\"\r\
    \n:local leaseClientHostname\r\
    \n:if (\$leaseClientHostnameSource = \"lease-hostname\") do={\r\
    \n  :set leaseClientHostname \$\"lease-hostname\"\r\
    \n} else={\r\
    \n  :set leaseClientHostname ([:pick \\\r\
    \n    [/ip dhcp-server lease print as-value where server=\"\$leaseServerNa\
    me\" address=\"\$leaseActIP\" mac-address=\"\$leaseActMAC\"] \\\r\
    \n    0]->\"\$leaseClientHostnameSource\")\r\
    \n}\r\
    \n:local leaseClientHostnameShort \"\$leaseClientHostname\"\r\
    \n:local leaseClientHostnames \"\$leaseClientHostname\"\r\
    \n:if ([:len [\$dnsDomain]] > 0) do={\r\
    \n  :set leaseClientHostname \"\$leaseClientHostname.\$dnsDomain\"\r\
    \n  :if (\$dnsAlwaysNonfqdn = \"1\") do={\r\
    \n    :set leaseClientHostnames \"\$leaseClientHostname,\$leaseClientHostn\
    ameShort\"\r\
    \n  }\r\
    \n}\r\
    \n:if (\$dnsRemoveAllByIp = \"1\") do={\r\
    \n  /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" \
    and address=\"\$leaseActIP\"]\r\
    \n}\r\
    \n:foreach h in=[:toarray value=\"\$leaseClientHostnames\"] do={\r\
    \n  :if (\$dnsRemoveAllByName = \"1\") do={\r\
    \n    /ip dns static remove [/ip dns static find comment=\"\$leaseComment\
    \" and name=\"\$h\"]\r\
    \n  }\r\
    \n  /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" \
    and address=\"\$leaseActIP\" and name=\"\$h\"]\r\
    \n  :if (\$leaseBound = \"1\") do={\r\
    \n    :delay 1\r\
    \n    /ip dns static add comment=\"\$leaseComment\" address=\"\$leaseActIP\
    \" name=\"\$h\" ttl=\"\$dnsTtl\"\r\
    \n  }\r\
    \n}" lease-time=1w name=Domus_dhcp
/container
add envlist=pihole_envs interface=veth1 mounts=\
    list_pihole,etc_pihole,dnsmasq_pihole,crono_pihole root-dir=\
    usb1-part1/pihole start-on-boot=yes
/container config
set registry-url=https://registry-1.docker.io tmpdir=usb1-part1/pull
/container envs
add key=TZ name=pihole_envs value=Europe/Rome
add key=WEBPASSWORD name=pihole_envs value="zzz"
add key=DNSMASQ_USER name=pihole_envs value=zzz
add key=SERVERIP name=pihole_envs value=192.168.55.55
/interface bridge port
add bridge=BR-Capsman interface=veth1
add bridge=BR-Capsman interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/ipv6 settings
set disable-ipv6=yes forward=no
/interface bridge vlan
add bridge=BR-Capsman comment="Mamma VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
    vlan-ids=200
add bridge=BR-Capsman comment="Guest VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
    vlan-ids=300
add bridge=BR-Capsman comment="Casa VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
    vlan-ids=100
add bridge=BR-Capsman comment="Domus VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
    vlan-ids=400
/interface list member
add interface=xxx-pppoe list=WAN
add interface=BR-Capsman list=LAN
add interface=xxx-vlan list=WAN
add interface=200-Mamma list=LAN
add interface=300-Guest list=LAN
add interface=100-Casa list=LAN
add interface=400-Domus list=LAN
add interface=900-Control list=LAN
add interface=100-Casa list=TRUSTED
/interface wifiwave2 capsman
set enabled=yes interfaces=BR-Capsman package-path="" \
    require-peer-certificate=no upgrade-policy=none
/interface wifiwave2 provisioning
add action=create-dynamic-enabled disabled=no master-configuration=\
    studio_2ghz name-format="" radio-mac=48:A9:8A:0E:03:52 \
    slave-configurations=guest,srv2ghz,service2G
add action=create-dynamic-enabled disabled=no master-configuration=home5ghz \
    name-format="" radio-mac=48:A9:8A:0E:06:A8 slave-configurations=\
    guest,service5G
add action=create-dynamic-enabled disabled=no master-configuration=home5ghz \
    name-format="" radio-mac=48:A9:8A:0E:09:5D slave-configurations=\
    guest,service5G
add action=create-dynamic-enabled disabled=no master-configuration=home5ghz \
    name-format="" radio-mac=48:A9:8A:BC:A5:24 slave-configurations=service5G
add action=create-dynamic-enabled disabled=no master-configuration=home5ghz \
    name-format="" radio-mac=48:A9:8A:0E:06:47 slave-configurations=\
    guest,service5G
add action=create-dynamic-enabled disabled=no master-configuration=\
    esterno_2ghz name-format="" radio-mac=48:A9:8A:0E:09:5E \
    slave-configurations=guest,srv2ghz,service2G
add action=create-dynamic-enabled disabled=no master-configuration=\
    server_2ghz name-format="" radio-mac=48:A9:8A:BC:A5:25 \
    slave-configurations=silent,srv2ghz,service2G
add action=create-dynamic-enabled disabled=no master-configuration=home5ghz \
    name-format="" radio-mac=48:A9:8A:0E:03:51 slave-configurations=\
    guest,service5G
add action=create-dynamic-enabled disabled=no master-configuration=\
    taverna_2ghz name-format="" radio-mac=48:A9:8A:0E:06:48 \
    slave-configurations=guest,srv2ghz,service2G
add action=create-dynamic-enabled disabled=no master-configuration=\
    centro_2ghz name-format="" radio-mac=48:A9:8A:0E:06:A9 \
    slave-configurations=guest,service2G
/ip address
add address=192.168.0.1/24 interface=100-Casa network=192.168.0.0
add address=172.16.0.1/20 interface=300-Guest network=172.16.0.0
add address=10.255.254.1/24 interface=200-Mamma network=10.255.254.0
add address=10.10.0.1/24 interface=BR-Capsman network=10.10.0.0
add address=192.168.240.1/24 interface=400-Domus network=192.168.240.0
add address=192.168.55.1/25 interface=veth1 network=192.168.55.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1d
/ip dhcp-server lease
/ip dhcp-server network
add address=10.255.255.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.255.255.1 \
    netmask=24
add address=172.16.0.0/20 dns-server=1.1.1.3,1.0.0.3 gateway=172.16.0.1 \
    netmask=20
add address=192.168.0.0/24 dns-server=192.168.55.55 gateway=192.168.0.1 \
    netmask=24
add address=192.168.240.0/24 dns-server=192.168.55.55 gateway=192.168.240.1 \
    netmask=24
/ip dns
set cache-max-ttl=1m servers=1.1.1.1,1.0.0.1
/ip dns static
/ip firewall address-list
add address=192.168.0.0/24 comment="Casa NET" list=net_casa
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    list=bogons
add address=kkk disabled=yes list=PublicIP
add address=10.255.255.0/24 comment="Mamma NET" list=net_mamma
add address=172.16.0.0/20 comment="Guest NET" list=net_guest
add address=10.255.255.0/24 comment="Excluded from PiHole" list=excluded
add address=172.16.0.0/20 comment="Excluded from PiHole" list=excluded
add address=192.168.55.55 comment="Excluded from PiHole" list=excluded
add address=192.168.240.0/24 comment="Domus NET" list=net_domus
add address=10.10.0.0/24 comment="Base NET" list=net_base
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
    "ONLY allow trusted subnet full access to router services" \
    src-address-list=net_casa
add action=accept chain=input comment=PiHole dst-port=53,123 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment=PiHole dst-port=53 in-interface-list=\
    LAN protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow access to PiHOLE" dst-address=\
    192.168.55.55 in-interface-list=LAN
add action=accept chain=forward comment="allow access to Domus-Server" \
    dst-address=192.168.240.10 src-address-list=net_casa
add action=accept chain=forward comment="allow Plex to Domus" dst-address=\
    192.168.0.10 dst-port=32400 protocol=tcp src-address-list=net_domus
add action=accept chain=forward comment="allow Plex to Domus" dst-address=\
    192.168.0.10 dst-port=32400 protocol=udp src-address-list=net_domus
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
    src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=Port_Scanner
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons
add action=add-src-to-address-list address-list=spammers \
    address-list-timeout=3h chain=forward comment=\
    "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
    25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add action=drop chain=forward comment="DROP ALL ELSE"
add action=drop chain=input comment="DROP ALL ELSE"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN src-address=!10.10.0.0/24
add action=dst-nat chain=dstnat comment="Pihole" dst-port=53 \
    in-interface-list=LAN protocol=udp src-address-list=!excluded \
    to-addresses=192.168.55.55
add action=dst-nat chain=dstnat comment="Pihole" dst-port=53 \
    in-interface-list=LAN protocol=tcp src-address-list=!excluded \
    to-addresses=192.168.55.55
add action=dst-nat chain=dstnat comment="Port Online: INVERTERT MAMMA" \
    dst-port=xxx in-interface=yyy-pppoe protocol=tcp to-addresses=\
    xxx.xxx.xxx.xxx to-ports=xxx
/ip firewall service-port
set ftp disabled=yes
set h323 disabled=yes
set pptp disabled=yes
/ip route
add disabled=no dst-address=10.255.255.0/24 gateway=10.255.254.2 \
    routing-table=main suppress-hw-offload=no
add disabled=no dst-address=10.255.255.0/24 gateway=10.255.254.2 \
    routing-table=main suppress-hw-offload=no
add disabled=no dst-address=10.255.255.0/24 gateway=10.255.254.2 \
    routing-table=main suppress-hw-offload=no
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=xxx-pppoe type=external
add interface=100-Casa type=internal
add interface=400-Domus type=internal
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=drop chain=input
add action=drop chain=forward
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=RB-Router
/system logging
set 2 disabled=yes
add action=echo disabled=yes topics=dhcp
add action=echo disabled=yes topics=dhcp
add disabled=yes topics=wireless
add action=echo disabled=yes topics=wireless
add action=remote disabled=yes topics=wireless
add disabled=yes prefix=dhcp topics=debug
add disabled=yes prefix=wireless topics=debug
add disabled=yes topics=wireless,debug
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes local-clock-stratum=1 manycast=yes use-local-clock=yes
/system ntp client servers
add address=0.it.pool.ntp.org
add address=1.it.pool.ntp.org
add address=2.it.pool.ntp.org
add address=3.it.pool.ntp.org
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

anav · Tue Nov 14, 2023 5:16 pm

(1) Missing last rule of input chain add chain=input action=drop comment="Drop All Else"

add action=accept chain=input comment=PiHole dst-port=53 in-interface-list=\
LAN protocol=tcp
======== goes here =============
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec

(2) Do not see why the two subnets can avoid being directed to pi server??

A. we point there devices to DNS server, so that passive users will go there..........

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.55.55 gateway=192.168.0.1 { casa net }
add address=192.168.240.0/24 dns-server=192.168.55.55 gateway=192.168.240.1 \ { domus net }

B. We redirect aggressive users that change their DNS manually on PC.................

add action=dst-nat chain=dstnat comment="Pihole" dst-port=53 \
in-interface-list=LAN protocol=udp src-address-list=!excluded \
to-addresses=192.168.55.55
add action=dst-nat chain=dstnat comment="Pihole" dst-port=53 \
in-interface-list=LAN protocol=tcp src-address-list=!excluded \
to-addresses=192.168.55.55

NOTE: One subnet is not accounted for? 10.0.0.0/24 the base subnet. It is neither directed to DNS but nor excluded from the redirect, so all users here too will get sent to Pi.

anav · Tue Nov 14, 2023 5:30 pm

IF a user on casa net or domus net is bypassing PI, then perhaps its the browser using a DNS bypass ??

Kataius · Wed Nov 15, 2023 4:36 pm

Missing last rule of input chain add chain=input action=drop comment="Drop All Else"

Sorry wrong position of the rule. Thanks for correction!

B. We redirect aggressive users that change their DNS manually on PC.................

add action=dst-nat chain=dstnat comment="Pihole" dst-port=53 \
in-interface-list=LAN protocol=udp src-address-list=!excluded \
to-addresses=192.168.55.55
add action=dst-nat chain=dstnat comment="Pihole" dst-port=53 \
in-interface-list=LAN protocol=tcp src-address-list=!excluded \
to-addresses=192.168.55.55

But this doesn't work...

IF a user on casa net or domus net is bypassing PI, then perhaps its the browser using a DNS bypass ??

I try different pc from casa net, different browser (chrome, edge, firefox) but always bypass PIHole if i change DNS manually...
I'm sure thant pihole works beacuse if i be a passive user all works only "aggressive" user can bypass...

anav · Wed Nov 15, 2023 5:50 pm

(1) Found this rule in your NAT rules LOL, should be in forward chain.
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN src-address=!10.10.0.0/24

(2) No idea why the redirect rules are not working, hopefully someone with better eyes can see the issue.......??????????????

Kataius · Wed Nov 15, 2023 6:17 pm

Wow it's true! I put the rule in NAT! LoL
Thank you.

For the discussion of the rule that doesn't work:

The problem is that the packages are there and (at least the udp) so the rule works, but it doesn't have the desired effect... Thanks anyway for the help and I hope for someone else!

Kataius · Fri Nov 17, 2023 2:35 pm

Try with one up?

dstnat rules not works

dstnat rules not works

Re: dstnat rules not works

Re: dstnat rules not works

Re: dstnat rules not works

Re: dstnat rules not works

Re: dstnat rules not works

Re: dstnat rules not works

Re: dstnat rules not works

Re: dstnat rules not works

Re: dstnat rules not works

Re: dstnat rules not works

Re: dstnat rules not works

Re: dstnat rules not works

Re: dstnat rules not works

Who is online