( rattila | 2024. 02. 19., h – 14:26 )

[rattila@DHMTr] /interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU MAC-ADDRESS      
 0  R  ether1                              ether            1500  1596       2026 
 1  RS ether2                              ether            1500  1596       2026 
 2     ether3                              ether            1500  1596       2026 
 3  RS ether4                              ether            1500  1596       2026 
 4  RS ether5                              ether            1500  1596       2026 
 5  R  ;;; defconf
       bridge                              bridge           1500  1596            
 6  R  pppoe-out1                          pppoe-out        1480
[rattila@DHMTr] /interface>

[rattila@DHMTr] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    chain=input action=accept connection-limit=100,0 protocol=tcp dst-port=22 log=no log-prefix="" 

 2    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 3    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 4    ;;; defconf: accept ICMP

5    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 

 6    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=no log-prefix="" 

 7    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 8    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 9    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 

10    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

11    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

12    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

13    chain=input action=accept protocol=tcp dst-port=22 log=no log-prefix="" 

[rattila@DHMTr] /ip firewall filter>

 

[rattila@DHMTr] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 
[rattila@DHMTr] /ip firewall nat>

 

[rattila@DHMTr] /ip route> print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          pppoe-out1                1
 1  DS  0.0.0.0/0                          192.168.1.1               1
 2 ADC  <pub_IP1>/32  <pub_IP2>    pppoe-out1                0
 3 ADC  192.168.1.0/24     192.168.1.66    ether1                    0
 4 ADC  192.168.8.0/24     192.168.8.1     bridge                    0