Greetings everyone. I have configured the hEX S for 2 networks, one just for testing. I'm requesting someone to review the configuration to check if I'm missing anything or have too many rules in place (or redundant) & if they're in the proper order. The default config was wiped & started from scratch. I used the Mikrotik Advanced Firewall using RAW filters along with some custom rules for Wireguard & internal server that were found in this forum. Everything is working great & as expected, both from LAN & WAN. Both networks can reach each other. Goal is to have a secure network only allowing what I want to pass through.
One of my concerns is on the below 2 rules. On MT's website for advanced firewall (link posted below), it says "untracked". I've read a few of Anav's posts that state to use "tracked". Looking for the proper setting for these:
See Also
Why is AT&T Wi-Fi Not Working: Common Issues and Solutions - BlinksAndButtonsAn Honest AT&T Internet Review, According to CustomersAT&T Offers 10GB of Mobile Hotspot Data For $15 On Current And Recent Smartphone PlansThe Franklin A50 - A New 5G Mobile Hotspot For AT&Tadd action=accept chain=input comment=\
"Rule: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment=\
"Rule: accept established,related, untracked" connection-state=\
established,related,untracked
See Also
How to Use an AT&T HotspotAdvanced Firewall used: https://help.mikrotik.com/docs/display/ ... d+Firewall
hEX S on ROS 7.12 stable
- Wireguard is working great.
- DoH is working great using either Cloudflare, Google, Cleanbrowing or OpenDNS. All are working. Using Cloudflare at the moment.
- Server access is working great between LAN & WAN.
- Both LAN networks can reach each other & WAN.
- Queues work great. Currently disabled to allow use of fasttrack.
- Winbox allowed only from primary LAN (Lan Bridge) using custom port.
Config dump:
Code: Select all
# 2023-11-26 08:38:44 by RouterOS 7.12# software id = NRY1-5C8G## model = RB760iGS# serial number = **********/interface bridgeadd comment=my.LAN.block name="Lan Bridge"add comment="my.LAN.block-2 - Ether3" name=bridge1/interface ethernetset [ find default-name=ether1 ] comment="ATT Fiber Modem"set [ find default-name=ether2 ] comment="Nokia AC3000 WAP"set [ find default-name=ether3 ] comment="Test Port"set [ find default-name=ether4 ] comment=\ "SyncServer Eth1 - Load Balancing - Server Side"set [ find default-name=ether5 ] comment=\ "SyncServer Eth2 - Load Balancing - Server Side" poe-out=off/interface wireguardadd comment="Personal VPN" listen-port=port mtu=1420 name=wireguard1/interface listadd comment=defconf name=WANadd comment=defconf name=LAN/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip hotspot profileset [ find default=yes ] html-directory=hotspot/ip pooladd name=LAN ranges=my.LAN.blockadd name=dhcp_pool4 ranges=my.LAN.block-2/ip dhcp-serveradd address-pool=LAN interface="Lan Bridge" lease-time=10m name=dhcp1add address-pool=dhcp_pool4 interface=bridge1 lease-time=1m name=dhcp2/queue simpleadd comment="AppleTV - Home Theatre" disabled=yes limit-at=50M/50M max-limit=\ 1G/1G name="AppleTV - Home Theatre" queue=\ pcq-upload-default/pcq-download-default target=AppleTV.IP/32 \ total-queue=synchronous-defaultadd comment=SyncServer disabled=yes limit-at=50M/50M max-limit=1G/1G name=\ SyncServer queue=pcq-upload-default/pcq-download-default target=\ Server.IP/32 total-queue=synchronous-default/certificate settingsset crl-download=yes crl-use=yes/interface bridge portadd bridge="Lan Bridge" interface=ether2add bridge="Lan Bridge" interface=ether4add bridge="Lan Bridge" interface=ether5add bridge=bridge1 interface=ether3/ipv6 settingsset disable-ipv6=yes/interface list memberadd interface=ether1 list=WANadd interface="Lan Bridge" list=LANadd interface=wireguard1 list=LANadd interface=bridge1 list=LAN/interface wireguard peersadd allowed-address=0.0.0.0/0 client-address=my.LAN.block-WG client-dns=\ 1.1.1.3 client-endpoint=123.456.789.123 client-listen-port=port \ comment="Personal VPN" endpoint-address=WG.IP endpoint-port=port \ interface=wireguard1 preshared-key=\ "*******************************************" private-key=\ "*******************************************" public-key=\ "*******************************************"/ip addressadd address=my.LAN.block/24 interface="Lan Bridge" network=my.LAN.blockadd address=my.LAN.block-WG/24 interface=wireguard1 network=my.LAN.block-WGadd address=my.LAN.block-2/24 interface=bridge1 network=my.LAN.block-2/ip dhcp-clientadd interface=ether1 use-peer-dns=no/ip dhcp-server networkadd address=my.LAN.block/24 dns-server=my.LAN.block.router gateway=my.LAN.blockadd address=my.LAN.block-2/24 dns-server=1.1.1.1 gateway=my.LAN.block-2/ip dnsset allow-remote-requests=yes doh-max-concurrent-queries=100 \ doh-max-server-connections=20 doh-timeout=6s servers=1.1.1.1,1.0.0.1 \ use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes/ip firewall address-listadd address=Server.IP comment=SyncServer list=SyncServeradd address=my.LAN.block/24 comment="Private LAN" list=LANadd address=123.456.789.123 comment="ATT Fiber" list=WANadd address=0.0.0.0/8 comment="Rule: RFC6890" list=no_forward_ipv4add address=169.254.0.0/16 comment="Rule: RFC6890" list=no_forward_ipv4add address=224.0.0.0/4 comment="Rule: multicast" list=no_forward_ipv4add address=255.255.255.255 comment="Rule: RFC6890" list=no_forward_ipv4add address=127.0.0.0/8 comment="Rule: RFC6890" list=bad_ipv4add address=192.0.0.0/24 comment="Rule: RFC6890" list=bad_ipv4add address=192.0.2.0/24 comment="Rule: RFC6890 documentation" list=bad_ipv4add address=198.51.100.0/24 comment="Rule: RFC6890 documentation" list=\ bad_ipv4add address=203.0.113.0/24 comment="Rule: RFC6890 documentation" list=\ bad_ipv4add address=240.0.0.0/4 comment="Rule: RFC6890 reserved" list=bad_ipv4add address=0.0.0.0/8 comment="Rule: RFC6890" list=not_global_ipv4add address=10.0.0.0/8 comment="Rule: RFC6890" list=not_global_ipv4add address=100.64.0.0/10 comment="Rule: RFC6890" list=not_global_ipv4add address=169.254.0.0/16 comment="Rule: RFC6890" list=not_global_ipv4add address=172.16.0.0/12 comment="Rule: RFC6890" list=not_global_ipv4add address=192.0.0.0/29 comment="Rule: RFC6890" list=not_global_ipv4add address=192.168.0.0/16 comment="Rule: RFC6890" list=not_global_ipv4add address=198.18.0.0/15 comment="Rule: RFC6890 benchmark" list=\ not_global_ipv4add address=255.255.255.255 comment="Rule: RFC6890" list=not_global_ipv4add address=224.0.0.0/4 comment="Rule: multicast" list=bad_src_ipv4add address=255.255.255.255 comment="Rule: RFC6890" list=bad_src_ipv4add address=0.0.0.0/8 comment="Rule: RFC6890" list=bad_dst_ipv4add address=224.0.0.0/4 comment="Rule: RFC6890" list=bad_dst_ipv4add address=my.LAN.block-WG/24 comment="Wireguard - Personal VPN" list=LANadd address=my.LAN.block-2/24 list=LAN/ip firewall filteradd action=accept chain=input comment=\ "Rule: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=accept chain=input comment="Rule: accept ICMP after RAW" protocol=\ icmpadd action=accept chain=input comment="Rule: allow WireGuard" dst-port=port \ protocol=udpadd action=accept chain=input comment="Rule: allow WireGuard" dst-port=port \ protocol=udpadd action=drop chain=input comment="Rule: drop all not coming from LAN" \ in-interface-list=!LANadd action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=accept chain=forward comment=\ "Rule: accept all that matches IPSec policy" ipsec-policy=in,ipsecadd action=fasttrack-connection chain=forward comment="Rule: fasttrack" \ connection-mark=no-mark connection-state=established,related hw-offload=\ yesadd action=accept chain=forward comment=\ "Rule: accept established,related, untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="Rule: drop invalid" connection-state=\ invalidadd action=accept chain=forward comment="Rule: internet" in-interface-list=\ LAN out-interface-list=WANadd action=accept chain=forward comment="Rule: port forwarding" \ connection-nat-state=dstnatadd action=accept chain=forward comment="Rule: allow all LAN networks" \ connection-state="" dst-address-list=LAN src-address-list=LANadd action=drop chain=forward comment="Rule: DROP ALL ELSE" log=yes/ip firewall natadd action=masquerade chain=srcnat comment="LAN Masquerade" \ out-interface-list=WANadd action=masquerade chain=srcnat comment="Hairpin NAT - LAN" \ dst-address-list=LAN src-address-list=LANadd action=dst-nat chain=dstnat comment="SyncServer NAT - HTTPS" \ dst-address-type=local dst-port=port log=yes protocol=tcp to-addresses=\ Server.IP to-ports=portadd action=dst-nat chain=dstnat comment="SyncServer NAT - VPN" \ dst-address-type=local dst-port=port log=yes protocol=tcp to-addresses=\ Server.IP to-ports=portadd action=src-nat chain=srcnat comment="Hide LAN IP's for WAN" \ out-interface-list=WAN src-address-list=LAN to-addresses=123.456.789.123add action=accept chain=srcnat comment=\ "Rule: accept all that matches IPSec policy" disabled=yes ipsec-policy=\ out,ipsec/ip firewall rawadd action=accept chain=prerouting comment=\ "Rule: enable for transparent firewall" disabled=yesadd action=accept chain=prerouting comment="Rule: accept DHCP discover" \ dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\ udp src-address=0.0.0.0 src-port=68add action=drop chain=prerouting comment="Rule: drop bogon IP's" \ src-address-list=bad_ipv4add action=drop chain=prerouting comment="Rule: drop bogon IP's" \ dst-address-list=bad_ipv4add action=drop chain=prerouting comment="Rule: drop bogon IP's" \ src-address-list=bad_src_ipv4add action=drop chain=prerouting comment="Rule: drop bogon IP's" \ dst-address-list=bad_dst_ipv4add action=drop chain=prerouting comment="Rule: drop non global from WAN" \ in-interface-list=WAN src-address-list=not_global_ipv4add action=drop chain=prerouting comment=\ "Rule: drop forward to local lan from WAN" dst-address-list=LAN \ in-interface-list=WANadd action=drop chain=prerouting comment=\ "Rule: drop local if not from default IP range" in-interface-list=LAN \ src-address-list=!LANadd action=drop chain=prerouting comment="Rule: drop bad UDP" port=0 \ protocol=udpadd action=jump chain=prerouting comment="Rule: jump to ICMP chain" \ jump-target=icmp4 protocol=icmpadd action=jump chain=prerouting comment="Rule: jump to TCP chain" \ jump-target=bad_tcp protocol=tcpadd action=accept chain=prerouting comment=\ "Rule: accept everything else from LAN" in-interface-list=LANadd action=accept chain=prerouting comment=\ "Rule: accept everything else from WAN" in-interface-list=WANadd action=drop chain=prerouting comment="Rule: drop the rest"add action=drop chain=bad_tcp comment="Rule: TCP flag filter" protocol=tcp \ tcp-flags=!fin,!syn,!rst,!ackadd action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,synadd action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rstadd action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ackadd action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urgadd action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rstadd action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urgadd action=drop chain=bad_tcp comment="Rule: TCP port 0 drop" port=0 \ protocol=tcpadd action=accept chain=icmp4 comment="Rule: echo reply" icmp-options=0:0 \ limit=5,10:packet protocol=icmpadd action=accept chain=icmp4 comment="Rule: net unreachable" icmp-options=\ 3:0 protocol=icmpadd action=accept chain=icmp4 comment="Rule: host unreachable" icmp-options=\ 3:1 protocol=icmpadd action=accept chain=icmp4 comment="Rule: protocol unreachable" \ icmp-options=3:2 protocol=icmpadd action=accept chain=icmp4 comment="Rule: port unreachable" icmp-options=\ 3:3 protocol=icmpadd action=accept chain=icmp4 comment="Rule: fragmentation needed" \ icmp-options=3:4 protocol=icmpadd action=accept chain=icmp4 comment="Rule: echo" icmp-options=8:0 limit=\ 5,10:packet protocol=icmpadd action=accept chain=icmp4 comment="Rule: time exceeded " icmp-options=\ 11:0-255 protocol=icmpadd action=drop chain=icmp4 comment="Rule: drop other icmp" protocol=icmp/ip serviceset telnet disabled=yesset ftp disabled=yesset www disabled=yesset ssh disabled=yesset api disabled=yesset winbox address=my.LAN.block.personal/24 port=1234set api-ssl disabled=yes/ip sshset strong-crypto=yes/system clockset time-zone-name=America/New_York/system loggingadd disabled=yes topics=dns/system noteset show-at-login=no/system ntp clientset enabled=yes/system ntp serverset broadcast=yes broadcast-addresses=my.LAN.block enabled=yes multicast=\ yes use-local-clock=yes/system ntp client serversadd address=time.cloudflare.com