Mikrotik und die Konfiguration

raini

#admin\
#breitband \
#user:ftth \
#wifi key:breitband1234
/interface bridge
add \
name=bridge1 \
mtu=1598 \
protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] \
name=WAN
set [ find default-name=ether3 ] \
master-port=ether2
set [ find default-name=ether4 ] \
master-port=ether2
set [ find default-name=ether5 ] \
master-port=ether2
set [ find default-name=ether7 ] \
master-port=ether6
set [ find default-name=ether8 ] \
master-port=ether6
set [ find default-name=ether9 ] \
master-port=ether6
set [ find default-name=ether10 ] \
master-port=ether6
/interface wireless security-profiles
set [ find default=yes ] \
supplicant-identity=MikroTik
/ip hotspot user profile
set [ find default=yes ] \
idle-timeout=none \
keepalive-timeout=2m \
mac-cookie-timeout=3d
/ip pool
add \
name=dhcp \
ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add \
name=dhcp1 \
address-pool=dhcp \
disabled=no \
interface=bridge1
/interface bridge port
add \
bridge=bridge1 \
interface=ether2
add \
bridge=bridge1 \
interface=ether6
/ppp profile
set *0 \
use-encryption=yes \
use-mpls=yes
add \
name=ppp-wan \
change-tcp-mss=yes
/interface pppoe-client
add \
name=pppoe-wan \
add-default-route=yes \
allow=pap \
default-route-distance=1 \
disabled=no \
interface=WAN \
max-mru=1480 \
max-mtu=1452 \
mrru=1600 \
password=w12 \
profile=ppp-wan \
user=password
/ip address
add \
address=192.168.1.1/24 \
interface=bridge1 \
network=192.168.1.0
/ip dhcp-server network
add \
address=192.168.1.0/24 \
dns-server=8.8.8.8,8.8.4.4 \
gateway=192.168.1.1
/ip firewall filter
add \
comment="fasttrack" \
action=fasttrack-connection \
chain=forward \
connection-state=established,related
add \
comment="permit ICMP" \
chain=input \
protocol=icmp
add \
comment="permit NTP" \
chain=input \
protocol=udp \
src-port=123
add \
action=drop \
chain=input \
dst-port=53 \
in-interface=pppoe-wan \
protocol=udp
add \
comment="permit local access" \
chain=input \
in-interface=bridge1
add \
comment="Zulassen von eingehenden Verbindungen zum lokalen Router" \
chain=input \
connection-state=related
add \
comment="Zulassen, dass der Verbindungsstatus eingehender Verbindungen zum lokalen Router herstellt" \
chain=input \
connection-state=established
add \
comment=" alles andere zum lokalen Router blockieren , drop " \
action=drop \
chain=input
add \
comment="Zulassen von verbindungsstatusbezogenen eingehenden Verbindungen " \
chain=forward \
connection-state=related
add \
comment="Zulassen, dass der verbindungsstatus eingehender Verbindungen weitergeleitet wird " \
chain=forward \
connection-state=established
add \
comment="drop everything else to forward chain" \
action=drop \
chain=forward \
connection-state=invalid
/ip firewall nat
add \
comment="NAT WAN" \
action=masquerade \
chain=srcnat \
out-interface=pppoe-wan
add \
comment="NAT Bridge" \
action=masquerade \
chain=srcnat \
out-interface=bridge1
/ip firewall service-port
set ftp \
disabled=yes
set tftp \
disabled=yes
set irc \
disabled=yes
set h323 \
disabled=yes
set sip \
disabled=yes
set pptp \
disabled=yes
/ip service
set telnet \
disabled=yes
set ftp \
disabled=yes
set www \
address=192.168.1.0/24
set api \
address=192.168.1.0/24
set winbox \
address=192.168.1.0/24
set api-ssl \
disabled=yes
/ip upnp
set \
allow-disable-external-interface=no
/system clock
set \
time-zone-name=Europe/Rome
/system identity
set \
name=GW
/system ntp client
set \
enabled=yes \
primary-ntp=193.204.114.232 \
secondary-ntp=193.204.114.233
/interface bridge port add bridge=bridge1 interface=wlan1
/interface wireless
set [ find default-name=wlan1 ] \
band=2ghz-b/g/n \
country=italy \
disabled=no \
frequency=2437 \
rx-chains=0 \
tx-chains=0 \
mode=ap-bridge \
ssid=wifi-Generic
/interface wireless security-profiles
set [ find default=yes ] \
authentication-types=wpa2-psk \
eap-methods="" \
group-ciphers=tkip,aes-ccm \
mode=dynamic-keys \
supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm \
wpa2-pre-shared-key=breitband1234
/user set admin password=breitband

ml-

raini add \
action=drop \
chain=input \
dst-port=53 \
in-interface=pppoe-wan \
protocol=udp

Den Sinn dieser drop-Regel verstehe ich nicht ganz...
Diese Anfragen werden ja sowieso von der allgemeinen drop-Regel abgelehnt, oder?

raini

ml- willst du als dns server anderer sein.da entsteht ganz schnell viel traffik auf der wan

raini

hoi, gib mol deine öffentliche ip do in und post es ergebnis do

https://openresolver.com/

ml-

raini Recursive resolver is not detected on XXX.XXX.XXX.XXX

IP address XXX.XXX.XXX.XXX is not vulnerable to DNS Amplification attacks.

raini

ne dann passt kanns du weglassen