Hey,
I initially setup my firewall rule with the intention to have a single "drop" action at the end of the input and forward chain and only "whitelist" the traffic that I want to allow. However, since this is the first time I am doing this, and the wiki page (https://help.mikrotik.com/docs/display/ ... LANdevices) mentions some more drop rules and a fasttrack-connection, I got unsure. Could somebody check if my firewall rules are solid and what kind of optimization would make sense?
I initially setup my firewall rule with the intention to have a single "drop" action at the end of the input and forward chain and only "whitelist" the traffic that I want to allow. However, since this is the first time I am doing this, and the wiki page (https://help.mikrotik.com/docs/display/ ... LANdevices) mentions some more drop rules and a fasttrack-connection, I got unsure. Could somebody check if my firewall rules are solid and what kind of optimization would make sense?
Code:
/ip firewall filteradd action=accept chain=input comment="Allow Estab & Related" connection-state=established,relatedadd action=accept chain=input comment="Allow WireGuard" dst-port=13231 protocol=udpadd action=accept chain=input comment="Allow WireGuard traffic" src-address=192.168.100.0/24add action=accept chain=input comment="Allow BASE Full Access" in-interface-list=BASEadd action=accept chain=input comment="Allow VLAN DNS Server Access" connection-state=new dst-port=53 in-interface-list=VLAN protocol=tcpadd action=accept chain=input connection-state=new dst-port=53 in-interface-list=VLAN protocol=udpadd action=drop chain=input comment=Dropadd action=accept chain=forward comment="Allow Estab & Related" connection-state=established,relatedadd action=accept chain=forward comment="Allow BASE access to all VLANs" connection-state=new in-interface-list=BASE out-interface-list=VLANadd action=accept chain=forward comment="Allow BASE access to all VLANs" connection-state=new in-interface-list=BASE out-interface-list=VLAN-LOCALadd action=accept chain=forward comment="Allow VLAN Internet Access" connection-state=new in-interface-list=VLAN out-interface-list=WANadd action=accept chain=forward comment="Allow IOT SMB Access to NAS" connection-state=new dst-address=10.0.10.11 dst-port=445 in-interface=iot-vlan out-interface=base-vlan protocol=tcpadd action=accept chain=forward comment="Allow X1 Access to Surveillance Station" connection-state=new dst-address=10.0.10.11 dst-port=9900 in-interface=iot-vlan out-interface=base-vlan protocol=tcpadd action=accept chain=forward comment="Allow Mobile Access to Surveillance Station" connection-state=new dst-address=10.0.10.11 dst-port=9901 in-interface=iot-vlan out-interface=base-vlan protocol=tcpadd action=accept chain=forward comment="Allow Mobile Access to File Station" connection-state=new dst-address=10.0.10.11 dst-port=7001 in-interface=iot-vlan out-interface=base-vlan protocol=tcpadd action=accept chain=forward comment="Allow Mobile Access to Home Assistant" connection-state=new dst-address=10.0.10.11 dst-port=8123 in-interface=iot-vlan out-interface=base-vlan protocol=tcpadd action=accept chain=forward comment="Allow Surceillance NTP Access for timesync" connection-state=new dst-port=123 in-interface=surveillance-vlan out-interface-list=WAN protocol=udpadd action=accept chain=forward connection-state=new dst-port=53 in-interface=surveillance-vlan out-interface-list=WAN protocol=udpadd action=drop chain=forward comment=DropStatistics: Posted by fobo — Fri Feb 23, 2024 4:18 pm
