SmartFinn · October 21, 2024 11:59 · MDE186 · Apr 6, 2022
diff --git a/ip_firewall_filter.rsc b/ip_firewall_filter.rsc
 # jan/29/2018 22: 4:17 by RouterOS 6.41
 #
 /interface list
 add name=public comment="public network"
 add name=local  comment="local network"
 add name=guest  comment="guest network"

 # Change the interfaces below to your own
 /interface list member
 add list=public interface=ether1
 add list=local  interface=bridge

 /ip firewall filter
 # WARNING!  All filter rules will be deleted
 :delay 10
 remove [find dynamic=no]

 ## Enable FastTrack for all zones
 add chain=forward action=fasttrack-connection \
    connection-state=established,related \
    comment="Enable FastTrack for all zones"

 ## PUBLIC ---> ROUTER
 add chain=input action=jump jump-target=PUBLIC-TO-ROUTER \
    in-interface-list=public comment="PUBLIC ---> ROUTER"
 add chain=PUBLIC-TO-ROUTER action=accept protocol=tcp dst-port=80 \
    comment="DISABLE IT IF NOT NEEDED"
 add chain=PUBLIC-TO-ROUTER action=accept protocol=tcp dst-port=22 \
    comment="DISABLE IT IF NOT NEEDED"
 add chain=PUBLIC-TO-ROUTER action=accept protocol=tcp dst-port=1194 \
    comment="OpenVPN"
 add chain=PUBLIC-TO-ROUTER action=accept protocol=udp dst-port=500,4500 \
    comment="L2TP/IPSec"
 add chain=PUBLIC-TO-ROUTER action=accept protocol=udp dst-port=1701 \
    ipsec-policy=in,ipsec
 add chain=PUBLIC-TO-ROUTER action=accept protocol=ipsec-esp
 add chain=PUBLIC-TO-ROUTER action=accept protocol=tcp dst-port=1723 \
    comment="PPTP"
 add chain=PUBLIC-TO-ROUTER action=accept protocol=gre
 add chain=PUBLIC-TO-ROUTER action=return

 ## PUBLIC <--- ROUTER
 add chain=output action=jump jump-target=ROUTER-TO-PUBLIC \
    out-interface-list=public comment="PUBLIC <--- ROUTER"
 add chain=ROUTER-TO-PUBLIC action=return

 ## LOCAL ---> ROUTER
 add chain=input action=jump jump-target=LOCAL-TO-ROUTER \
    in-interface-list=local comment="LOCAL ---> ROUTER"
 add chain=LOCAL-TO-ROUTER action=accept

 ## LOCAL <--- ROUTER
 add chain=output action=jump jump-target=ROUTER-TO-LOCAL \
    out-interface-list=local comment="LOCAL <--- ROUTER"
 add chain=ROUTER-TO-LOCAL action=accept

 ## PUBLIC ---> LOCAL
 add chain=forward action=jump jump-target=PUBLIC-TO-LOCAL \
    in-interface-list=public out-interface-list=local comment="PUBLIC ---> LOCAL"
 add chain=PUBLIC-TO-LOCAL action=accept \
    connection-state=established,related,untracked
 add chain=PUBLIC-TO-LOCAL action=drop connection-state=invalid
 add chain=PUBLIC-TO-LOCAL action=drop \
    connection-state=new connection-nat-state=!dstnat
 add chain=PUBLIC-TO-LOCAL action=accept

 ## PUBLIC <--- LOCAL
 add chain=forward action=jump jump-target=LOCAL-TO-PUBLIC \
    in-interface-list=local out-interface-list=public comment="PUBLIC <--- LOCAL"
 add chain=LOCAL-TO-PUBLIC action=accept

 ## GUEST ---> ROUTER
 add chain=input action=jump jump-target=GUEST-TO-ROUTER \
    in-interface-list=guest comment="GUEST ---> ROUTER"
 add chain=GUEST-TO-ROUTER action=drop protocol=icmp
 add chain=GUEST-TO-ROUTER action=return

 ## GUEST <--- ROUTER
 add chain=output action=jump jump-target=ROUTER-TO-GUEST \
    out-interface-list=guest comment="GUEST <--- ROUTER"
 add chain=ROUTER-TO-GUEST action=return

 ## PUBLIC ---> GUEST
 add chain=forward action=jump jump-target=PUBLIC-TO-GUEST \
    in-interface-list=public out-interface-list=guest comment="PUBLIC ---> GUEST"
 add chain=PUBLIC-TO-GUEST action=return

 ## PUBLIC <--- GUEST
 add chain=forward action=jump jump-target=GUEST-TO-PUBLIC \
    in-interface-list=guest out-interface-list=public comment="PUBLIC <--- GUEST"
 add chain=GUEST-TO-PUBLIC action=return

 ## LOCAL ---> GUEST
 add chain=forward action=jump jump-target=LOCAL-TO-GUEST \
    in-interface-list=local out-interface-list=guest comment="LOCAL ---> GUEST"
 add chain=LOCAL-TO-GUEST action=drop

 ## LOCAL <--- GUEST
 add chain=forward action=jump jump-target=GUEST-TO-LOCAL \
    in-interface-list=guest out-interface-list=local comment="LOCAL <--- GUEST"
 add chain=GUEST-TO-LOCAL action=drop

 ## [Default policy] INPUT
 add chain=input action=accept connection-state=established,related,untracked \
    comment="[Default policy] INPUT"
 add chain=input action=drop connection-state=invalid
 add chain=input action=accept protocol=icmp
 add chain=input action=drop

 ## [Default policy] FORWARD
 add chain=forward action=accept connection-state=established,related,untracked \
    comment="[Default policy] FORWARD"
 add chain=forward action=accept ipsec-policy=in,ipsec
 add chain=forward action=accept ipsec-policy=out,ipsec
 add chain=forward action=drop connection-state=invalid
 add chain=forward action=drop connection-state=new \
    connection-nat-state=!dstnat in-interface-list=public
 add chain=forward action=reject reject-with=icmp-net-prohibited disabled=yes \
    comment="Forbid connections between networks"
 # The next rule allows connections between networks. Enable the rule above to
 # forbid that
 add chain=forward action=accept

 ## [Default policy] OUTPUT
 add chain=output action=accept comment="[Default policy] OUTPUT"
	# jan/29/2018 22: 4:17 by RouterOS 6.41
	#
	/interface list
	add name=public comment="public network"
	add name=local comment="local network"
	add name=guest comment="guest network"

	# Change the interfaces below to your own
	/interface list member
	add list=public interface=ether1
	add list=local interface=bridge

	/ip firewall filter
	# WARNING! All filter rules will be deleted
	:delay 10
	remove [find dynamic=no]

	## Enable FastTrack for all zones
	add chain=forward action=fasttrack-connection \
	connection-state=established,related \
	comment="Enable FastTrack for all zones"

	## PUBLIC ---> ROUTER
	add chain=input action=jump jump-target=PUBLIC-TO-ROUTER \
	in-interface-list=public comment="PUBLIC ---> ROUTER"
	add chain=PUBLIC-TO-ROUTER action=accept protocol=tcp dst-port=80 \
	comment="DISABLE IT IF NOT NEEDED"
	add chain=PUBLIC-TO-ROUTER action=accept protocol=tcp dst-port=22 \
	comment="DISABLE IT IF NOT NEEDED"
	add chain=PUBLIC-TO-ROUTER action=accept protocol=tcp dst-port=1194 \
	comment="OpenVPN"
	add chain=PUBLIC-TO-ROUTER action=accept protocol=udp dst-port=500,4500 \
	comment="L2TP/IPSec"
	add chain=PUBLIC-TO-ROUTER action=accept protocol=udp dst-port=1701 \
	ipsec-policy=in,ipsec
	add chain=PUBLIC-TO-ROUTER action=accept protocol=ipsec-esp
	add chain=PUBLIC-TO-ROUTER action=accept protocol=tcp dst-port=1723 \
	comment="PPTP"
	add chain=PUBLIC-TO-ROUTER action=accept protocol=gre
	add chain=PUBLIC-TO-ROUTER action=return

	## PUBLIC <--- ROUTER
	add chain=output action=jump jump-target=ROUTER-TO-PUBLIC \
	out-interface-list=public comment="PUBLIC <--- ROUTER"
	add chain=ROUTER-TO-PUBLIC action=return

	## LOCAL ---> ROUTER
	add chain=input action=jump jump-target=LOCAL-TO-ROUTER \
	in-interface-list=local comment="LOCAL ---> ROUTER"
	add chain=LOCAL-TO-ROUTER action=accept

	## LOCAL <--- ROUTER
	add chain=output action=jump jump-target=ROUTER-TO-LOCAL \
	out-interface-list=local comment="LOCAL <--- ROUTER"
	add chain=ROUTER-TO-LOCAL action=accept

	## PUBLIC ---> LOCAL
	add chain=forward action=jump jump-target=PUBLIC-TO-LOCAL \
	in-interface-list=public out-interface-list=local comment="PUBLIC ---> LOCAL"
	add chain=PUBLIC-TO-LOCAL action=accept \
	connection-state=established,related,untracked
	add chain=PUBLIC-TO-LOCAL action=drop connection-state=invalid
	add chain=PUBLIC-TO-LOCAL action=drop \
	connection-state=new connection-nat-state=!dstnat
	add chain=PUBLIC-TO-LOCAL action=accept

	## PUBLIC <--- LOCAL
	add chain=forward action=jump jump-target=LOCAL-TO-PUBLIC \
	in-interface-list=local out-interface-list=public comment="PUBLIC <--- LOCAL"
	add chain=LOCAL-TO-PUBLIC action=accept

	## GUEST ---> ROUTER
	add chain=input action=jump jump-target=GUEST-TO-ROUTER \
	in-interface-list=guest comment="GUEST ---> ROUTER"
	add chain=GUEST-TO-ROUTER action=drop protocol=icmp
	add chain=GUEST-TO-ROUTER action=return

	## GUEST <--- ROUTER
	add chain=output action=jump jump-target=ROUTER-TO-GUEST \
	out-interface-list=guest comment="GUEST <--- ROUTER"
	add chain=ROUTER-TO-GUEST action=return

	## PUBLIC ---> GUEST
	add chain=forward action=jump jump-target=PUBLIC-TO-GUEST \
	in-interface-list=public out-interface-list=guest comment="PUBLIC ---> GUEST"
	add chain=PUBLIC-TO-GUEST action=return

	## PUBLIC <--- GUEST
	add chain=forward action=jump jump-target=GUEST-TO-PUBLIC \
	in-interface-list=guest out-interface-list=public comment="PUBLIC <--- GUEST"
	add chain=GUEST-TO-PUBLIC action=return

	## LOCAL ---> GUEST
	add chain=forward action=jump jump-target=LOCAL-TO-GUEST \
	in-interface-list=local out-interface-list=guest comment="LOCAL ---> GUEST"
	add chain=LOCAL-TO-GUEST action=drop

	## LOCAL <--- GUEST
	add chain=forward action=jump jump-target=GUEST-TO-LOCAL \
	in-interface-list=guest out-interface-list=local comment="LOCAL <--- GUEST"
	add chain=GUEST-TO-LOCAL action=drop

	## [Default policy] INPUT
	add chain=input action=accept connection-state=established,related,untracked \
	comment="[Default policy] INPUT"
	add chain=input action=drop connection-state=invalid
	add chain=input action=accept protocol=icmp
	add chain=input action=drop

	## [Default policy] FORWARD
	add chain=forward action=accept connection-state=established,related,untracked \
	comment="[Default policy] FORWARD"
	add chain=forward action=accept ipsec-policy=in,ipsec
	add chain=forward action=accept ipsec-policy=out,ipsec
	add chain=forward action=drop connection-state=invalid
	add chain=forward action=drop connection-state=new \
	connection-nat-state=!dstnat in-interface-list=public
	add chain=forward action=reject reject-with=icmp-net-prohibited disabled=yes \
	comment="Forbid connections between networks"
	# The next rule allows connections between networks. Enable the rule above to
	# forbid that
	add chain=forward action=accept

	## [Default policy] OUTPUT
	add chain=output action=accept comment="[Default policy] OUTPUT"