Mikrotik firewall nedostupné některé hw v síti

sachlj

Zdravím. Najednou se mi něco stalo ve firewallu. V síti mám switche, AP, NAS. Vše v jedné síti, žádné VLAN. Najednou se nedostanu na jeden NAS, na druhý ano. Najednou se nedostanu na jedno AP a na další 3 ano. Najednou se nedostanu na modem UPC co je na jiné síti. Přitom před 14 dny, měsícem to normálně šlo. S mikrotikem a jeho fw jsem si nehrál, "co funguje nech na pokoji, nešťourej do toho". nedostanu se na adresy 192.168.88.241, 192.168.88.239, 192.168.1.1
Poradíte někdo v čem je problém?
config.
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add list=ddos-attackers
add list=ddos-target
add list=ddos-targets
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log=yes
add action=accept chain=forward comment=\
"defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
dst-address-list=no_forward_ipv4
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s \
protocol=tcp tcp-flags=syn,ack
add action=add-dst-to-address-list address-list=ddos-target \
address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
address-list-timeout=10m chain=detect-ddos
add action=add-dst-to-address-list address-list=ddos-target \
address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" \
src-address-list="port scanners"
add action=drop chain=forward comment="dropping port scanners" \
src-address-list="port scanners"
add action=drop chain=input comment="Mikrotik Fetch malware" log=yes \
log-prefix=VIRUS src-address=95.154.216.128/25
add action=jump chain=forward connection-state=new jump-target=detect-ddos
add action=accept chain=forward dst-address=192.168.88.214 dst-port=80 \
protocol=tcp
add action=accept chain=forward dst-address=192.168.88.214 dst-port=443 \
protocol=tcp
add action=reject chain=forward comment=Layer7 disabled=yes layer7-protocol=\
Block reject-with=icmp-network-unreachable
/ip firewall nat
add action=accept chain=srcnat comment=\
"defconf: accept all that matches IPSec policy" disabled=yes \
ipsec-policy=in,ipsec
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=192.168.1.6 dst-port=80 protocol=\
tcp to-addresses=192.168.88.214
add action=dst-nat chain=dstnat dst-address=78.45.51.41 dst-port=80 protocol=\
tcp to-addresses=192.168.88.214
add action=masquerade chain=srcnat dst-address=192.168.88.214 dst-port=80 \
out-interface=bridge protocol=tcp src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-address=192.168.1.6 dst-port=443 \
protocol=tcp to-addresses=192.168.88.214
add action=dst-nat chain=dstnat dst-address=78.45.51.41 dst-port=443 \
protocol=tcp to-addresses=192.168.88.214
add action=masquerade chain=srcnat dst-address=192.168.88.214 dst-port=443 \
out-interface=bridge protocol=tcp src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-port=3306 protocol=tcp to-addresses=\
192.168.88.214 to-ports=3306
/ip firewall raw
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\
udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
"defconf: drop forward to local lan from WAN" dst-address=192.168.88.0/24 \
in-interface-list=WAN
add action=drop chain=prerouting comment=\
"defconf: drop local if not from default IP range" in-interface-list=LAN \
src-address=!192.168.88.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
"defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" \
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" \
icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" \
icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\
5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\
11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
add action=drop chain=prerouting dst-address-list=ddos-target \
src-address-list=ddos-attackers
add action=drop chain=prerouting dst-address-list=dddos-targets \
src-address-list=ddos-attackers
/ip firewall service-port
set sip disabled=yes

/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=\
bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=\
bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=\
not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=\
not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=\
not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
protocol=icmpv6
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain="add action=drop dst-address-list=no_forward_ipv6 commen\
t=\"defconf: drop bad forward IPs\"" comment=\
"defconf: drop bad forward IPs" src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
protocol=icmpv6
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain="add action=drop dst-address-list=no_forward_ipv6 commen\
t=\"defconf: drop bad forward IPs\"" comment=\
"defconf: drop bad forward IPs" src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
protocol=icmpv6
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain="add action=drop dst-address-list=no_forward_ipv6 commen\
t=\"defconf: drop bad forward IPs\"" comment=\
"defconf: drop bad forward IPs" src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ipv6 firewall raw
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall" disabled=yes
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv6
add action=drop chain=prerouting comment=\
"defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
in-interface-list=WAN src-address-list=not_global_ipv6
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" \
jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment=\
"defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment=\
"defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment=\
"defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 \
hop-limit=not-equal:255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: dst unreachable" \
icmp-options=1:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: packet too big" icmp-options=\
2:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: limit exceeded" icmp-options=\
3:0-1 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: bad header" icmp-options=\
4:0-2 protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: Mobile home agent address discovery" icmp-options=144:0-255 \
protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: Mobile home agent address discovery" icmp-options=145:0-255 \
protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix solic" \
icmp-options=146:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix advert" \
icmp-options=147:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo request limit 5,10" \
icmp-options=128:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo reply limit 5,10" \
icmp-options=129:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 router solic limit 5,10 only LAN" hop-limit=equal:255 \
icmp-options=133:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 router advert limit 5,10 only LAN" hop-limit=equal:255 \
icmp-options=134:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 neighbor solic limit 5,10 only LAN" hop-limit=equal:255 \
icmp-options=135:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 neighbor advert limit 5,10 only LAN" hop-limit=\
equal:255 icmp-options=136:0-255 in-interface-list=LAN limit=5,10:packet \
protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 inverse ND solic limit 5,10 only LAN" hop-limit=\
equal:255 icmp-options=141:0-255 in-interface-list=LAN limit=5,10:packet \
protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 inverse ND advert limit 5,10 only LAN" hop-limit=\
equal:255 icmp-options=142:0-255 in-interface-list=LAN limit=5,10:packet \
protocol=icmpv6
add action=drop chain=icmp6 comment="defconf: drop other icmp" protocol=\
icmpv6
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall" disabled=yes
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv6
add action=drop chain=prerouting comment=\
"defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
in-interface-list=WAN src-address-list=not_global_ipv6
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" \
jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment=\
"defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment=\
"defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment=\
"defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 \
hop-limit=not-equal:255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: dst unreachable" \
icmp-options=1:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: packet too big" icmp-options=\
2:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: limit exceeded" icmp-options=\
3:0-1 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: bad header" icmp-options=\
4:0-2 protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: Mobile home agent address discovery" icmp-options=144:0-255 \
protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: Mobile home agent address discovery" icmp-options=145:0-255 \
protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix solic" \
icmp-options=146:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix advert" \
icmp-options=147:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo request limit 5,10" \
icmp-options=128:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo reply limit 5,10" \
icmp-options=129:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 router solic limit 5,10 only LAN" hop-limit=equal:255 \
icmp-options=133:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 router advert limit 5,10 only LAN" hop-limit=equal:255 \
icmp-options=134:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 neighbor solic limit 5,10 only LAN" hop-limit=equal:255 \
icmp-options=135:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 neighbor advert limit 5,10 only LAN" hop-limit=\
equal:255 icmp-options=136:0-255 in-interface-list=LAN limit=5,10:packet \
protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 inverse ND solic limit 5,10 only LAN" hop-limit=\
equal:255 icmp-options=141:0-255 in-interface-list=LAN limit=5,10:packet \
protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 inverse ND advert limit 5,10 only LAN" hop-limit=\
equal:255 icmp-options=142:0-255 in-interface-list=LAN limit=5,10:packet \
protocol=icmpv6
add action=drop chain=icmp6 comment="defconf: drop other icmp" protocol=\
icmpv6
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall" disabled=yes
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv6
add action=drop chain=prerouting comment=\
"defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
in-interface-list=WAN src-address-list=not_global_ipv6
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" \
jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment=\
"defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment=\
"defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment=\
"defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 \
hop-limit=not-equal:255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: dst unreachable" \
icmp-options=1:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: packet too big" icmp-options=\
2:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: limit exceeded" icmp-options=\
3:0-1 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: bad header" icmp-options=\
4:0-2 protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: Mobile home agent address discovery" icmp-options=144:0-255 \
protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: Mobile home agent address discovery" icmp-options=145:0-255 \
protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix solic" \
icmp-options=146:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix advert" \
icmp-options=147:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo request limit 5,10" \
icmp-options=128:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo reply limit 5,10" \
icmp-options=129:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 router solic limit 5,10 only LAN" hop-limit=equal:255 \
icmp-options=133:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 router advert limit 5,10 only LAN" hop-limit=equal:255 \
icmp-options=134:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 neighbor solic limit 5,10 only LAN" hop-limit=equal:255 \
icmp-options=135:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 neighbor advert limit 5,10 only LAN" hop-limit=\
equal:255 icmp-options=136:0-255 in-interface-list=LAN limit=5,10:packet \
protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 inverse ND solic limit 5,10 only LAN" hop-limit=\
equal:255 icmp-options=141:0-255 in-interface-list=LAN limit=5,10:packet \
protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 inverse ND advert limit 5,10 only LAN" hop-limit=\
equal:255 icmp-options=142:0-255 in-interface-list=LAN limit=5,10:packet \
protocol=icmpv6
add action=drop chain=icmp6 comment="defconf: drop other icmp" protocol=\
icmpv6

Trnec

drakgon já to četl, ale jsem z toho jelen 🙂

sachlj jak píše @drakgon je to zřejmě stylem opisu, ale zaráží mně že jsou tam defconfigy, to je z nějakýho zařízení? upřímně už jsem něco takovýho viděl, ale na domací router bych si tohle nedal. fw se staví tak, že se zakáže vše a povolí jen to člověk potřebuje, což zabere pár řádků a zbytečně nezatěžuje cpu.

Trnec

sachlj k tématu, vypl bych všechny pravidla a zapínal je po jednom, tím zjistím co mi to blokuje.
nehledě na to že tam máš logging snad u každýho pravidla.

napis spíš co je to za stroj a kolik přes to teče

edit: jěště pár drobností,: máš ipv6? máš veřejnou ipv4? proč nepoužíváš vpn?

drakgon

Právě tím fw by jsi měl začít... pokud jsi ho psal ty, tak by jsi měl vědět co tam mas za pravidla... mě to přijde jako ctrl+c/ctrl+v nějakého nářezu... pokud nevíš co všechny ty pravidla dělají, tak takový fw neprovozuj... uprime je to jako knížka na celou noc... to by se někdo musel Jo nudit to cele číst a studovat...

sachlj

Mám veřejnou IP a proto potřebuji fw co to ochrání, tento mi dost dobře blokuje vnitřní síť a nebrzdí internet. To je pro mě důležité. Propustnost fw. To proto abych si neplatil rychlá data když se na ně kvůli fw nedostanu. Jak jsme psal, najednou to přestalo fungovat ty prostupy. Tím, že mám veřejnou IP a na internetu jsem dost tak mám log zahlcený pakety co fw zakazuje a odhazuje.

Trnec

jak jsem psal, zakaž vše a otevři jen to co potřebuješ, základní fw v mikrotiku má ani ne 10 řádků, to co jsi sem hodil je psychopatie 😃

sachlj

Trnec jo jenže s tím základním se mi hnedle dovnitř dostalo pár šmejdů..... psychopatie? https://help.mikrotik.com/docs/display/ROS/Building+Advanced+Firewall

sidi

sachlj Když vše zakážeš a pomocí pár řádků povolíš potřebné, tak to funguje. Jestli se ti tam dostali, tak bylo něco špatně.

Ale jestli chceš něco lepšího, doporučuji použít specializovaný firewall, který má IDS, IPS, ...

ladik

sachlj Tobe se se zakladnim nastavenim hned do toho dostalo nekolik smejdu? Jakoze do ceho? Mit vystavene vse do netu je proste uplne spatne, kor v dnesni dobe. Minimalne je zasada pokud chci na neco pristupovat domu, tak alespon pres VPN, pak je jakasi takasi jistota, ze to jsem jen ja,
Zakladem je vypnout vsechny services mimo WinBox a ten povolit jen na lokalni rozsah a nevim kdo by se ti jinak do toho dostal.
A to ze ti to doted fungovalo a opravdu jsi nic nikde nemenil jak na MK, tak na sve siti, tak bude chyba ve filtrovani mozna u poskytovatele, tedy za predpokladu, ze jsi nedelal aktualizaci ROS, ktera ma treba v dane veci pak uz chybu !!!

sachlj

sidi vzal jsem právě RB760iGS která toho zvládne hafo naráz. jak jsem psal, s tím firewallem podle návodu vše fungovalo jedna báseň asi 3/4 roku a najednou se nedostanu na 3 zařízení ale ping na ně funguje. Na všech počítačích mám plného eseta včetně hlídání internetu takže do PC se mi nic nedostane.

Trnec

no asi nejjednodušší by bylo sledovat countery když se pokoušíš připojit tam kde ti to nejde a podle toho zjistíš, který pravidlo ti to dropuje. tipl bych si, že budeš na nějakým blacklistu kterej ti ten fw vytváří (port scanners, ddos-target nebo ddos-attackers), to by vysvětlovalo to, že ti to jelo a už nejede 😃
a až na to přijdeš, tak mi to sem napiš, jsem zvědav 😉

sachlj

"trochu" jsem pročistil fw a dostanu se na jedno zařízení, to jedno je kousnuté ale to je jeho chyba a to třetí je jiné síti tak je to jasné proč...tak vyřešeno, díky za nápady.....