I have this firewall rules that don't work:
Code: Select all
add action=drop chain=forward comment="DROP access to SERVER" dst-address=\
192.168.240.210 dst-port=2424 protocol=tcp src-address-list=net_domus
add action=drop chain=forward comment="DROP access to SERVER" dst-address=\
192.168.240.210 dst-port=80 protocol=tcp src-address-list=net_domusfrom the net_domus network I can still connect to 192.168.240.210
these rules have no package.
---
then I have these two rules that have packages but don't work as they should:
Code: Select all
add action=dst-nat chain=dstnat comment=Pihole dst-port=53 in-interface-list=\
LAN protocol=udp src-address-list=!excluded to-addresses=192.168.55.55
add action=dst-nat chain=dstnat comment=Pihole dst-port=53 in-interface-list=\
LAN protocol=tcp src-address-list=!excluded to-addresses=192.168.55.55---
In the end
I set the user admin to have the
Code: Select all
allowed address: 192.168.0.0/24thanks to anyone who will dedicate a little time to me.
---
my config is:
Code: Select all
/container mounts
add dst=/opt/list name=list_pihole src=/usb1-part1/container_pihole/list
add dst=/etc/pihole name=etc_pihole src=/usb1-part1/container_pihole/etc
add dst=/etc/dnsmasq.d name=dnsmasq_pihole src=\
/usb1-part1/container_pihole/dnsmasq
add dst=/etc/cron.d name=crono_pihole src=/usb1-part1/container_pihole/crono
/disk
set usb1 type=hardware
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
"500 107 861 504" type=partition
/interface bridge
add comment=Capsman name=BR-Capsman priority=0x6000 vlan-filtering=yes
/interface veth
add address=192.168.55.55/25,2001:470:8248:2d:c086:31ff:fe24:851a/64 gateway=\
192.168.55.1 gateway6=2001:470:8248:2d::e name=veth1
/interface vlan
add comment=Casa interface=BR-Capsman mtu=1480 name=100-Casa vlan-id=100
add comment=Mamma interface=BR-Capsman mtu=1480 name=200-Mamma vlan-id=200
add comment=Guests interface=BR-Capsman mtu=1480 name=300-Guest vlan-id=300
add comment=Domus interface=BR-Capsman mtu=1480 name=400-Domus vlan-id=400
add comment=WAN interface=ether1 mtu=1480 name=WAN-vlan vlan-id=600
/interface pppoe-client
add add-default-route=yes disabled=no interface=WAN-vlan max-mru=1480 \
max-mtu=1480 name=WAN-pppoe use-peer-dns=yes user=USER
/interface list
add name=WAN
add name=LAN
add name=TRUSTED
/interface wifiwave2 channel
add band=2ghz-g disabled=no frequency=2437 name=silent width=20/40mhz-Ce
add band=2ghz-g disabled=no name=guest
add band=5ghz-ax disabled=no name=wlan5_ghz skip-dfs-channels=all width=\
20/40/80mhz
add band=2ghz-ax disabled=no frequency=2437 name=wlan2_channel6_main width=\
20/40mhz
add band=2ghz-ax disabled=no frequency=2412 name=wlan2_channel1
add band=2ghz-ax disabled=no frequency=2462 name=wlan2_channel11
/interface wifiwave2 datapath
add bridge=BR-Capsman disabled=no name=Wifi_Mamma vlan-id=200
add bridge=BR-Capsman disabled=no name=Wifi_Guest vlan-id=300
add bridge=BR-Capsman disabled=no name=Wifi_Casa vlan-id=100
add bridge=BR-Capsman disabled=no name=Wifi_Domus vlan-id=400
/interface wifiwave2 security
add authentication-types=wpa2-psk disabled=no group-encryption=ccmp name=home
add authentication-types=wpa2-psk disabled=no group-encryption=ccmp name=\
guest
add authentication-types=wpa2-psk disabled=no name=silent
add authentication-types=wpa2-psk disabled=no name=srv
add authentication-types=wpa2-psk disabled=no group-key-update=1h name=\
service
/interface wifiwave2 configuration
add antenna-gain=2 country=Italy datapath=Wifi_Guest disabled=yes name=guest \
security=guest ssid=Clochard
add country=Italy datapath=Wifi_Mamma disabled=no hide-ssid=yes name=silent \
security=silent ssid=silent
add antenna-gain=2 channel=wlan2_channel11 country=Italy datapath=Wifi_Casa \
disabled=no name=studio_2ghz security=home ssid=HyperLimitless
add country=Italy datapath=Wifi_Casa disabled=yes hide-ssid=no name=srv2ghz \
security=srv ssid=Limitless2G
add antenna-gain=1 channel=wlan2_channel1 country=Italy datapath=Wifi_Casa \
disabled=no name=centro_2ghz security=home ssid=HyperLimitless
add antenna-gain=2 channel=wlan2_channel6_main country=Italy datapath=\
Wifi_Casa disabled=no name=server_2ghz security=home ssid=HyperLimitless
add antenna-gain=2 channel=wlan2_channel11 country=Italy datapath=Wifi_Casa \
disabled=no name=taverna_2ghz security=home ssid=HyperLimitless
add antenna-gain=2 channel=wlan2_channel1 country=Italy datapath=Wifi_Casa \
disabled=no name=esterno_2ghz security=home ssid=HyperLimitless
add country=Italy datapath=Wifi_Domus disabled=no hide-ssid=no name=service2G \
security=service ssid=LimitService2G
add country=Italy datapath=Wifi_Domus disabled=no hide-ssid=no name=service5G \
security=service ssid=LimitService5G
add channel=wlan5_ghz country=Italy datapath=Wifi_Casa disabled=no name=\
home5G security=home ssid=HyperLimitless
/interface wifiwave2
add configuration=home5G disabled=no name=wifi365 radio-mac=48:A9:8A:0E:06:47
add configuration=service5G disabled=no mac-address=4A:A9:8A:0E:06:47 \
master-interface=wifi365 name=wifi366
add configuration=home5G disabled=no name=wifi367 radio-mac=48:A9:8A:0E:09:5D
add configuration=service5G disabled=no mac-address=4A:A9:8A:0E:09:5D \
master-interface=wifi367 name=wifi368
add configuration=centro_2ghz disabled=no name=wifi369 radio-mac=\
48:A9:8A:0E:06:A9
# SSID not set
add configuration=guest disabled=no mac-address=4A:A9:8A:0E:06:A9 \
master-interface=wifi369 name=wifi370
add configuration=service2G disabled=no mac-address=4A:A9:8A:0E:06:AA \
master-interface=wifi369 name=wifi371
add configuration=studio_2ghz disabled=no name=wifi372 radio-mac=\
48:A9:8A:0E:03:52
# SSID not set
add configuration=guest disabled=no mac-address=4A:A9:8A:0E:03:52 \
master-interface=wifi372 name=wifi373
add configuration=service2G disabled=no mac-address=4A:A9:8A:0E:03:53 \
master-interface=wifi372 name=wifi374
add configuration=server_2ghz disabled=no name=wifi375 radio-mac=\
48:A9:8A:BC:A5:25
add configuration=silent disabled=no mac-address=4A:A9:8A:BC:A5:25 \
master-interface=wifi375 name=wifi376
# SSID not set
add configuration=guest disabled=no mac-address=4A:A9:8A:BC:A5:26 \
master-interface=wifi375 name=wifi377
add configuration=service2G disabled=no mac-address=4A:A9:8A:BC:A5:27 \
master-interface=wifi375 name=wifi378
add configuration=esterno_2ghz disabled=no name=wifi379 radio-mac=\
48:A9:8A:0E:09:5E
# SSID not set
add configuration=guest disabled=no mac-address=4A:A9:8A:0E:09:5E \
master-interface=wifi379 name=wifi380
add configuration=service2G disabled=no mac-address=4A:A9:8A:0E:09:5F \
master-interface=wifi379 name=wifi381
add configuration=taverna_2ghz disabled=no name=wifi382 radio-mac=\
48:A9:8A:0E:06:48
# SSID not set
add configuration=guest disabled=no mac-address=4A:A9:8A:0E:06:48 \
master-interface=wifi382 name=wifi383
add configuration=service2G disabled=no mac-address=4A:A9:8A:0E:06:49 \
master-interface=wifi382 name=wifi384
add configuration=home5G disabled=no name=wifi385 radio-mac=48:A9:8A:0E:06:A8
add configuration=service5G disabled=no mac-address=4A:A9:8A:0E:06:A8 \
master-interface=wifi385 name=wifi386
add configuration=home5G disabled=no name=wifi387 radio-mac=48:A9:8A:0E:03:51
add configuration=service5G disabled=no mac-address=4A:A9:8A:0E:03:51 \
master-interface=wifi387 name=wifi388
add configuration=home5G disabled=no name=wifi389 radio-mac=48:A9:8A:BC:A5:24
add configuration=service5G disabled=no mac-address=4A:A9:8A:BC:A5:24 \
master-interface=wifi389 name=wifi390
/ip kid-control
add disabled=yes fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d \
thu=0s-1d tue=0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=\
0s-1d tur-thu=0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=CasaPool ranges=192.168.0.100-192.168.0.200
add name=MammaPool ranges=10.255.255.100-10.255.255.200
add name=GuestsPool ranges=172.16.0.2-172.16.15.254
add name=DomusPool ranges=192.168.240.100-192.168.240.200
/ip dhcp-server
add add-arp=yes address-pool=CasaPool interface=100-Casa lease-script="# When \
\"1\" all DNS entries with IP address of DHCP lease are removed\r\
\n:local dnsRemoveAllByIp \"1\"\r\
\n# When \"1\" all DNS entries with hostname of DHCP lease are removed\r\
\n:local dnsRemoveAllByName \"1\"\r\
\n# When \"1\" addition and removal of DNS entries is always done also for\
\_non-FQDN hostname\r\
\n:local dnsAlwaysNonfqdn \"1\"\r\
\n# DNS domain to add after DHCP client hostname\r\
\n:local dnsDomain \"lan\"\r\
\n# DNS TTL to set for DNS entries\r\
\n:local dnsTtl \"00:15:00\"\r\
\n# Source of DHCP client hostname, can be \"lease-hostname\" or any other\
\_lease attribute, like \"host-name\" or \"comment\"\r\
\n:local leaseClientHostnameSource \"comment\"\r\
\n\r\
\n:local leaseComment \"dhcp-lease-script_\$leaseServerName_\$leaseClientH\
ostnameSource\"\r\
\n:local leaseClientHostname\r\
\n:if (\$leaseClientHostnameSource = \"lease-hostname\") do={\r\
\n :set leaseClientHostname \$\"lease-hostname\"\r\
\n} else={\r\
\n :set leaseClientHostname ([:pick \\\r\
\n [/ip dhcp-server lease print as-value where server=\"\$leaseServerNa\
me\" address=\"\$leaseActIP\" mac-address=\"\$leaseActMAC\"] \\\r\
\n 0]->\"\$leaseClientHostnameSource\")\r\
\n}\r\
\n:local leaseClientHostnameShort \"\$leaseClientHostname\"\r\
\n:local leaseClientHostnames \"\$leaseClientHostname\"\r\
\n:if ([:len [\$dnsDomain]] > 0) do={\r\
\n :set leaseClientHostname \"\$leaseClientHostname.\$dnsDomain\"\r\
\n :if (\$dnsAlwaysNonfqdn = \"1\") do={\r\
\n :set leaseClientHostnames \"\$leaseClientHostname,\$leaseClientHostn\
ameShort\"\r\
\n }\r\
\n}\r\
\n:if (\$dnsRemoveAllByIp = \"1\") do={\r\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" \
and address=\"\$leaseActIP\"]\r\
\n}\r\
\n:foreach h in=[:toarray value=\"\$leaseClientHostnames\"] do={\r\
\n :if (\$dnsRemoveAllByName = \"1\") do={\r\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\
\" and name=\"\$h\"]\r\
\n }\r\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" \
and address=\"\$leaseActIP\" and name=\"\$h\"]\r\
\n :if (\$leaseBound = \"1\") do={\r\
\n :delay 1\r\
\n /ip dns static add comment=\"\$leaseComment\" address=\"\$leaseActIP\
\" name=\"\$h\" ttl=\"\$dnsTtl\"\r\
\n }\r\
\n}" lease-time=1d name=Casa_dhcp
add add-arp=yes address-pool=MammaPool bootp-support=none interface=200-Mamma \
lease-time=1d name=Mamma_dchp relay=10.255.254.2 server-address=\
10.255.254.1
add add-arp=yes address-pool=GuestsPool interface=300-Guest lease-time=12h \
name=Guests_dhcp
add add-arp=yes address-pool=DomusPool interface=400-Domus lease-script="# Whe\
n \"1\" all DNS entries with IP address of DHCP lease are removed\r\
\n:local dnsRemoveAllByIp \"1\"\r\
\n# When \"1\" all DNS entries with hostname of DHCP lease are removed\r\
\n:local dnsRemoveAllByName \"1\"\r\
\n# When \"1\" addition and removal of DNS entries is always done also for\
\_non-FQDN hostname\r\
\n:local dnsAlwaysNonfqdn \"1\"\r\
\n# DNS domain to add after DHCP client hostname\r\
\n:local dnsDomain \"lan\"\r\
\n# DNS TTL to set for DNS entries\r\
\n:local dnsTtl \"00:15:00\"\r\
\n# Source of DHCP client hostname, can be \"lease-hostname\" or any other\
\_lease attribute, like \"host-name\" or \"comment\"\r\
\n:local leaseClientHostnameSource \"comment\"\r\
\n\r\
\n:local leaseComment \"dhcp-lease-script_\$leaseServerName_\$leaseClientH\
ostnameSource\"\r\
\n:local leaseClientHostname\r\
\n:if (\$leaseClientHostnameSource = \"lease-hostname\") do={\r\
\n :set leaseClientHostname \$\"lease-hostname\"\r\
\n} else={\r\
\n :set leaseClientHostname ([:pick \\\r\
\n [/ip dhcp-server lease print as-value where server=\"\$leaseServerNa\
me\" address=\"\$leaseActIP\" mac-address=\"\$leaseActMAC\"] \\\r\
\n 0]->\"\$leaseClientHostnameSource\")\r\
\n}\r\
\n:local leaseClientHostnameShort \"\$leaseClientHostname\"\r\
\n:local leaseClientHostnames \"\$leaseClientHostname\"\r\
\n:if ([:len [\$dnsDomain]] > 0) do={\r\
\n :set leaseClientHostname \"\$leaseClientHostname.\$dnsDomain\"\r\
\n :if (\$dnsAlwaysNonfqdn = \"1\") do={\r\
\n :set leaseClientHostnames \"\$leaseClientHostname,\$leaseClientHostn\
ameShort\"\r\
\n }\r\
\n}\r\
\n:if (\$dnsRemoveAllByIp = \"1\") do={\r\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" \
and address=\"\$leaseActIP\"]\r\
\n}\r\
\n:foreach h in=[:toarray value=\"\$leaseClientHostnames\"] do={\r\
\n :if (\$dnsRemoveAllByName = \"1\") do={\r\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\
\" and name=\"\$h\"]\r\
\n }\r\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" \
and address=\"\$leaseActIP\" and name=\"\$h\"]\r\
\n :if (\$leaseBound = \"1\") do={\r\
\n :delay 1\r\
\n /ip dns static add comment=\"\$leaseComment\" address=\"\$leaseActIP\
\" name=\"\$h\" ttl=\"\$dnsTtl\"\r\
\n }\r\
\n}" lease-time=1w name=Domus_dhcp
/container
add envlist=pihole_envs interface=veth1 mounts=\
list_pihole,etc_pihole,dnsmasq_pihole,crono_pihole root-dir=\
usb1-part1/pihole start-on-boot=yes
/container config
set registry-url=https://registry-1.docker.io tmpdir=usb1-part1/pull
/container envs
add key=TZ name=pihole_envs value=Europe/Rome
add key=WEBPASSWORD name=pihole_envs value="PASSWORD"
add key=DNSMASQ_USER name=pihole_envs value=USER
add key=SERVERIP name=pihole_envs value=192.168.55.55
/interface bridge port
add bridge=BR-Capsman interface=veth1
add bridge=BR-Capsman interface=sfp-sfpplus1
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/ipv6 settings
set disable-ipv6=yes forward=no
/interface bridge vlan
add bridge=BR-Capsman comment="Mamma VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
vlan-ids=200
add bridge=BR-Capsman comment="Guest VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
vlan-ids=300
add bridge=BR-Capsman comment="Casa VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
vlan-ids=100
add bridge=BR-Capsman comment="Domus VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
vlan-ids=400
/interface list member
add interface=WAN-pppoe list=WAN
add interface=BR-Capsman list=LAN
add interface=WAN-vlan list=WAN
add interface=200-Mamma list=LAN
add interface=300-Guest list=LAN
add interface=100-Casa list=LAN
add interface=400-Domus list=LAN
add interface=100-Casa list=TRUSTED
add interface=400-Domus list=TRUSTED
/interface wifiwave2 access-list
add action=accept comment="Apple Device" disabled=no mac-address=\
18:34:51:00:00:00 mac-address-mask=FF:FF:FF:00:00:00
/interface wifiwave2 capsman
set enabled=yes interfaces=BR-Capsman package-path="" \
require-peer-certificate=no upgrade-policy=none
/interface wifiwave2 provisioning
add action=create-enabled disabled=no master-configuration=studio_2ghz \
name-format="" radio-mac=48:A9:8A:0E:03:52 slave-configurations=\
guest,service2G
add action=create-enabled disabled=no master-configuration=home5G \
name-format="" radio-mac=48:A9:8A:0E:06:47 slave-configurations=service5G
add action=create-enabled disabled=no master-configuration=home5G \
name-format="" radio-mac=48:A9:8A:0E:09:5D slave-configurations=service5G
add action=create-enabled disabled=no master-configuration=home5G \
name-format="" radio-mac=48:A9:8A:BC:A5:24 slave-configurations=service5G
add action=create-enabled disabled=no master-configuration=home5G \
name-format="" radio-mac=48:A9:8A:0E:06:A8 slave-configurations=service5G
add action=create-enabled disabled=no master-configuration=esterno_2ghz \
name-format="" radio-mac=48:A9:8A:0E:09:5E slave-configurations=\
guest,service2G
add action=create-enabled disabled=no master-configuration=server_2ghz \
name-format="" radio-mac=48:A9:8A:BC:A5:25 slave-configurations=\
silent,guest,service2G
add action=create-enabled disabled=no master-configuration=home5G \
name-format="" radio-mac=48:A9:8A:0E:03:51 slave-configurations=service5G \
supported-bands=5ghz-ax
add action=create-enabled disabled=no master-configuration=centro_2ghz \
name-format="" radio-mac=48:A9:8A:0E:06:A9 slave-configurations=\
guest,service2G
add action=create-enabled disabled=no master-configuration=taverna_2ghz \
name-format="" radio-mac=48:A9:8A:0E:06:48 slave-configurations=\
guest,service2G
/ip address
add address=192.168.0.1/24 interface=100-Casa network=192.168.0.0
add address=172.16.0.1/20 interface=300-Guest network=172.16.0.0
add address=10.255.254.1/24 interface=200-Mamma network=10.255.254.0
add address=192.168.240.1/24 interface=400-Domus network=192.168.240.0
add address=192.168.55.1/25 interface=veth1 network=192.168.55.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1d
/ip dhcp-server network
add address=10.255.255.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.255.255.1 \
netmask=24
add address=172.16.0.0/20 dns-server=1.1.1.3,1.0.0.3 gateway=172.16.0.1 \
netmask=20
add address=192.168.0.0/24 dns-server=192.168.55.55 gateway=192.168.0.1 \
netmask=24
add address=192.168.240.0/24 dns-server=192.168.55.55 gateway=192.168.240.1 \
netmask=24
/ip dns
set cache-max-ttl=1m servers=1.1.1.1,1.0.0.1
/ip firewall address-list
add address=192.168.0.0/24 comment="Casa NET" list=net_casa
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
"MC, Class D, IANA # Check if you need this subnet before enable it" \
list=bogons
add address=PUBLIC.com list=PublicIP
add address=10.255.255.0/24 comment="Mamma NET" list=net_mamma
add address=172.16.0.0/20 comment="Guest NET" list=net_guest
add address=10.255.255.0/24 comment="Excluded from PiHole" list=excluded
add address=172.16.0.0/20 comment="Excluded from PiHole" list=excluded
add address=192.168.55.55 comment="Excluded from PiHole" list=excluded
add address=192.168.240.0/24 comment="Domus NET" list=net_domus
add address=10.10.0.0/24 comment="Base NET" list=net_base
add address=10.10.0.0/24 comment="Excluded from PiHole" list=excluded
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=PiHole dst-port=53,123 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment=PiHole dst-port=53 in-interface-list=\
LAN protocol=tcp
add action=accept chain=input comment="SSH" dst-port=22 protocol=tcp \
src-address=192.168.240.210
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment=\
"Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
src-address-list=Port_Scanner
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=drop chain=input comment="DROP ALL ELSE"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="allow access to PiHOLE" dst-address=\
192.168.55.55 in-interface-list=LAN
add action=accept chain=forward comment="allow access to AP Mamma" \
dst-address=10.255.254.2 src-address-list=net_casa
add action=accept chain=forward comment="allow access to ALL DomusNET" \
dst-address-list=net_domus src-address-list=net_casa
add action=drop chain=forward comment="DROP access to SERVER" dst-address=\
192.168.240.210 dst-port=2424 protocol=tcp src-address-list=net_domus
add action=drop chain=forward comment="DROP access to SERVER" dst-address=\
192.168.240.210 dst-port=80 protocol=tcp src-address-list=net_domus
add action=accept chain=forward comment="allow access to Domus-Server" \
dst-address=192.168.240.210 src-address-list=net_casa
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons
add action=add-src-to-address-list address-list=spammers \
address-list-timeout=3h chain=forward comment=\
"Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
protocol=tcp src-address-list=spammers
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="DROP ALL ELSE"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Pihole dst-port=53 in-interface-list=\
LAN protocol=udp src-address-list=!excluded to-addresses=192.168.55.55
add action=dst-nat chain=dstnat comment=Pihole dst-port=53 in-interface-list=\
LAN protocol=tcp src-address-list=!excluded to-addresses=192.168.55.55
/ip firewall service-port
set ftp disabled=yes
set h323 disabled=yes
set pptp disabled=yes
/ip route
add disabled=no dst-address=10.255.255.0/24 gateway=10.255.254.2 \
routing-table=main suppress-hw-offload=no
add disabled=no dst-address=10.255.255.0/24 gateway=10.255.254.2 \
routing-table=main suppress-hw-offload=no
add disabled=no dst-address=10.255.255.0/24 gateway=10.255.254.2 \
routing-table=main suppress-hw-offload=no
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=WAN-pppoe type=external
add interface=100-Casa type=internal
add interface=400-Domus type=internal
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=drop chain=input
add action=drop chain=forward
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=Router
/system logging
set 2 disabled=yes
add action=echo disabled=yes topics=dhcp
add action=echo disabled=yes topics=dhcp
add disabled=yes topics=wireless
add action=echo disabled=yes topics=wireless
add action=remote disabled=yes topics=wireless
add disabled=yes prefix=dhcp topics=debug
add disabled=yes prefix=wireless topics=debug
add disabled=yes topics=wireless,debug
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes local-clock-stratum=1 manycast=yes use-local-clock=yes
/system ntp client servers
add address=0.it.pool.ntp.org
add address=1.it.pool.ntp.org
add address=2.it.pool.ntp.org
add address=3.it.pool.ntp.org
/tool mac-server
set allowed-interface-list=TRUSTED
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
