So group your input and forward chain as two groups. Also I recommend that you group the rules on chain type. Your "Disallow weird packages" is below your drop everything, so these rules will never be hit and are useless on the place you have configured them now. You did copy the rules, but the order is not really ok. I am aware that mikrotik routerOS is not a firewall but router only, of course it can do many of the firewall features by the way. I wish that Mikrotik could CLOSE all the traffic default so we can just open what we need instead of opening everything as default, kind of wired if you ask me. Internet without any rule because server have the official ip address and do not need a NAT.
I was able to access the internet from the server without any rule in the firewall list, and I am also able to access the server FROM the What I do not understand here in Mikrotik is why we need allow the traffic from LAN as everything works without any rule ? I have just copied and pasted the rules you wrote, and please see the screen-shot I took from WinBox GUI Ros code #Router and internal network protection, no internal servers, LAN is friendlyĪdd chain=input action=drop connection-state=invalid comment="Disallow weird packets"Īdd chain=input action=accept connection-state=new in-interface=LAN comment="Allow LAN access to router and Internet"Īdd chain=input action=accept connection-state=established comment="Allow connections that originated from LAN"Īdd chain=input action=accept connection-state=related comment="Allow connections that originated from LAN"Īdd chain=input action=accept protocol=icmp comment="Allow ping ICMP from anywhere"Īdd chain=input action=drop comment="Disallow anything from anywhere on any interface"Īdd chain=forward action=drop connection-state=invalid comment="Disallow weird packets"Īdd chain=forward action=accept connection-state=new in-interface=LAN comment="Allow LAN access to router and Internet"Īdd chain=forward action=accept connection-state=established comment="Allow connections that originated from LAN"Īdd chain=forward action=accept connection-state=related comment="Allow connections that originated from LAN"
Add custom accept rules above the drop ones shown. Use the GUI tool from here to open ports which is very simple too do. Study the rules below which do what you need.
0 kommentar(er)
