Mikrotik IPv4/IPv6 firewall

[teodor_ch]

Έχεις δίκιο (θα εξοπλιστώ με υπομονή) μετά το reset θα αφήσω το δικό του firewall και θα χτίσω πάνω του. Σε κάθε απορία μιλάμε.
Γνωρίζω για το reset με το κουμπί μήπως καλύτερα να το κάνω και με το netinstall?

αν έχεις όρεξη ακόμα καλύτερα αρκεί να μήν τικάρεις το keep old configuration

[jkarabas]

αν έχεις όρεξη ακόμα καλύτερα αρκεί να μήν τικάρεις το keep old configuration

Αυτό το keep old configuration υπάρχει και στο netinstall δεν θυμάμαι. Στο winbox είναι μέσα σαν επιλογή.

[macro]

Παρε ενα export file=backup και στηστο απο την αρχη.

[jkarabas]

Με ποιο τρόπο τρόπο θα κρατήσω το default configuration όσο αφορά το firewall? Μετά το netinstall έχω την εντύπωση ότι δεν κρατά το default.

- - - Updated - - -

Παρε ενα export file=backup και στηστο απο την αρχη.

Έχω ήδη ετοιμαστεί με τα backup αλλά μήπως έχω θέμα με το υπάρχον configuration και κάνοντας backup θα έχω τα ίδια. Θα δοκιμάσω και θα δω.
Ξέρεις κάποιος που μπορώ να βρω το deafault firewall που έχει μέσα το mikrotik? Το ψάχνω.

[macro]

Βαλτο να κανει reset conf. και πριν το κανεις εκει που εχει το keep old, εχει αλλο ενα check box που λεει load default conf.

[jkarabas]

Βαλτο να κανει reset conf. και πριν το κανεις εκει που εχει το keep old, εχει αλλο ενα check box που λεει load default conf.

Καλημέρα
Το γνωρίζω, απλά δεν θα ήθελα και όλα τα άλλα που έχει μέσα στο load default conf θα προτιμούσα remove το default και να έχω κάπου το default firewall.
Τώρα που το σκέφτομαι αυτό γίνεται κάνοντας export μόνο το firewall και μετά reset πάλι.
Πάντως χθες που έκανα import διάφορα backups που είχα δεν διορθώθηκε κάτι.

[macro]

Και καπως αλλιως φορτωνει το default αλλα δε το θυμαμαι.................. οποιος το βρει ας το ποσταρει.

[puntomania]

...κάνε ;export το δικό σου που έχεις τώρα.... μετά πας στο load default conf.... κάνεις πάλι export....


στο notepad βάλε το παλιό όλο.... και αντικατέστησε το κομμάτι του filter με του default απ το 2ο export... και πέρασε το όλο πίσω... έτσι θα έχεις το παλιό σου config...με το default firewall filter!!!

[jkarabas]

...κάνε ;export το δικό σου που έχεις τώρα.... μετά πας στο load default conf.... κάνεις πάλι export....


στο notepad βάλε το παλιό όλο.... και αντικατέστησε το κομμάτι του filter με του default απ το 2ο export... και πέρασε το όλο πίσω... έτσι θα έχεις το παλιό σου config...με το default firewall filter!!!

Και έτσι γίνεται...αλλά μήπως πρέπει να στηθούν όλα από την αρχή με ένα Netinstall και να ησυχάσω μια και καλή.

[puntomania]

Και έτσι γίνεται...αλλά μήπως πρέπει να στηθούν όλα από την αρχή με ένα Netinstall και να ησυχάσω μια και καλή.

δες αν σε βοηθάει αυτό με ρεσετ απ το κουμπάκι ειναι

Spoiler:

MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 6.43.2 (c) 1999-2018 http://www.mikrotik.com/

[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments

[Tab] Completes the command/word. If the input is ambiguous,
a second [Tab] gives possible options

/ Move up to base level
.. Move up one level
/command Use command at the base level
jan/02/1970 00:00:13 system,error,critical router was rebooted without proper shutdown
[admin@MikroTik] > export
# jan/02/1970 00:01:13 by RouterOS 6.43.2
# software id = TG0H-PEX9
#
# model = RouterBOARD 941-2nD
# serial number = 8BxxxxxxxxxxxxF
/interface bridge
add admin-mac=CC:2D:E0:8B:92:B1 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-8B92B5 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >

- - - Updated - - -

και αυτό με ρεσετ μεσα απ το winbox ειναι ( αν και δε νομίζω να έχει διαφορά )

Spoiler:

MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 6.43.2 (c) 1999-2018 http://www.mikrotik.com/

[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments

[Tab] Completes the command/word. If the input is ambiguous,
a second [Tab] gives possible options

/ Move up to base level
.. Move up one level
/command Use command at the base level
The following default configuration has been installed on your router:
-------------------------------------------------------------------------------
RouterMode:
* WAN port is protected by firewall and enabled DHCP client
* Wireless and Ethernet interfaces (except WAN port ether1)
are part of LAN bridge
wlan1 Configuration:
mode: ap-bridge;
band: 2ghz-b/g/n;
tx-chains: 0;1;
rx-chains: 0;1;
ht-extension: 20/40mhz-Ce;
LAN Configuration:
IP address 192.168.88.1/24 is set on bridge (LAN port)
DHCP Server: enabled;
WAN (gateway) Configuration:
gateway: ether1 ;
ip4 firewall: enabled;
NAT: enabled;
DHCP Client: enabled;
DNS: enabled;

-------------------------------------------------------------------------------
You can type "v" to see the exact commands that are used to add and remove
this default configuration, or you can view them later with
'/system default-configuration print' command.
To remove this default configuration type "r" or hit any other key to continue.
If you are connected using the above IP and you remove it, you will be disconnected.

Failed to confirm this configuration
[admin@MikroTik] > export
# jan/02/1970 00:01:49 by RouterOS 6.43.2
# software id = TG0H-PEX9
#
# model = RouterBOARD 941-2nD
# serial number = 8BxxxxxxxxxxxxxxxxF
/interface bridge
add admin-mac=CC:2D:E0:8B:92:B1 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-8B92B5 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >

[jkarabas]

δες αν σε βοηθάει αυτό με ρεσετ απ το κουμπάκι ειναι

Spoiler:

MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 6.43.2 (c) 1999-2018 http://www.mikrotik.com/

[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments

[Tab] Completes the command/word. If the input is ambiguous,
a second [Tab] gives possible options

/ Move up to base level
.. Move up one level
/command Use command at the base level
jan/02/1970 00:00:13 system,error,critical router was rebooted without proper shutdown
[admin@MikroTik] > export
# jan/02/1970 00:01:13 by RouterOS 6.43.2
# software id = TG0H-PEX9
#
# model = RouterBOARD 941-2nD
# serial number = 8BxxxxxxxxxxxxF
/interface bridge
add admin-mac=CC:2D:E0:8B:92:B1 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-8B92B5 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >

- - - Updated - - -

και αυτό με ρεσετ μεσα απ το winbox ειναι ( αν και δε νομίζω να έχει διαφορά )

Spoiler:

MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 6.43.2 (c) 1999-2018 http://www.mikrotik.com/

[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments

[Tab] Completes the command/word. If the input is ambiguous,
a second [Tab] gives possible options

/ Move up to base level
.. Move up one level
/command Use command at the base level
The following default configuration has been installed on your router:
-------------------------------------------------------------------------------
RouterMode:
* WAN port is protected by firewall and enabled DHCP client
* Wireless and Ethernet interfaces (except WAN port ether1)
are part of LAN bridge
wlan1 Configuration:
mode: ap-bridge;
band: 2ghz-b/g/n;
tx-chains: 0;1;
rx-chains: 0;1;
ht-extension: 20/40mhz-Ce;
LAN Configuration:
IP address 192.168.88.1/24 is set on bridge (LAN port)
DHCP Server: enabled;
WAN (gateway) Configuration:
gateway: ether1 ;
ip4 firewall: enabled;
NAT: enabled;
DHCP Client: enabled;
DNS: enabled;

-------------------------------------------------------------------------------
You can type "v" to see the exact commands that are used to add and remove
this default configuration, or you can view them later with
'/system default-configuration print' command.
To remove this default configuration type "r" or hit any other key to continue.
If you are connected using the above IP and you remove it, you will be disconnected.

Failed to confirm this configuration
[admin@MikroTik] > export
# jan/02/1970 00:01:49 by RouterOS 6.43.2
# software id = TG0H-PEX9
#
# model = RouterBOARD 941-2nD
# serial number = 8BxxxxxxxxxxxxxxxxF
/interface bridge
add admin-mac=CC:2D:E0:8B:92:B1 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-8B92B5 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >

Τι έγινε είχες έτοιμο ρουτερ για δοκιμές ή τα βρήκες?.... Ευχαριστώ
Τα ίδια φαίνονται από ότι βλέπω.

[puntomania]

Τι έγινε είχες έτοιμο ρουτερ για δοκιμές ή τα βρήκες?.... Ευχαριστώ
Τα ίδια φαίνονται από ότι βλέπω.

το είχα ξεχασμένο στο συρτάρι εδώ δίπλα...

[jkarabas]

Δεν μπορώ να κατανοήσω στο default firewall στους παρακάτω κανόνες γιατί να υπάρχει δηλωμένο το in interface list και όχι το απλό in.interface ποια η διαφορά τους ξέρει κανείς?
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

[macro]

Για να αποφυγει τους πολλους κανονες στο filter φτιαχνει μια list.

[jkarabas]

Για να αποφυγει τους πολλους κανονες στο filter φτιαχνει μια list.

Ποιους πολλούς κανόνες? οι παραπάνω δεν μπορούν να γραφτούν όπως παρακάτω? Ποια η διαφορά;
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface=!LAN

Λίστα είναι ότι όταν έχεις πολλά μαζί interfaces και τα βάζεις όλα μαζί σε μια λίστα. Σωστά; Πρόσεξα ότι είναι δηλωμένα στα interfaces lists.

- - - Updated - - -

Έκανα reset από μέσα->Remove Configuration τα έστησα όλα από την αρχή (τα βασικά) πέρασα το default firewall και πέρασα τους κανόνες των port scan και πάλι δεν δούλεψε!!!!

Κώδικας:

/ip firewall filter
add action=accept chain=input comment= "defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=2w chain=input comment="Add port scanners to list" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=2w chain=input comment="______NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=2w chain=input comment="______SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=2w chain=input comment="______SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=2w chain=input comment="______FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=2w chain=input comment="______ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=2w chain=input comment="______NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="______Drop port scanners from list" src-address-list="Port Scanners"

add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment= "defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment= "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

Τους άλλαξα τη σειρά παντού αλλά και πάλι τίποτα. Το επόμενο βήμα θα είναι να το κάνω με το netinstall που τα σβήνω όλα και περνάει το πακέτο της ROS από την αρχή. Δεν ξέρω τι άλλο να υποθέσω;

- - - Updated - - -

Λοιπόν τα έστησα όλα από την αρχή με το netinstall, άρα το config εντελώς κενό. Έβαλα το default firewall και εκεί πρόσθεσα τους κανόνες των port scan.
Τρέχω από το κινητό μου στην εξωτερική Ip του Mikrotik αλλά και πάλι οι κανόνες δεν δουλεύουν.

Κώδικας:

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=2w chain=input comment="Add port scanners to list" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=2w chain=input comment="______NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=2w chain=input comment="______SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=2w chain=input comment="______SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=2w chain=input comment="______FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=2w chain=input comment="______ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=2w chain=input comment="______NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="______Drop port scanners from list" src-address-list="Port Scanners"

add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

Έχει κάποιος κάποια ιδέα τι μπορεί να συμβαίνει??
Μου έχει σπάσει τα νεύρα δεν μπορώ να το εξηγήσω??