update router config

2024-05-01 11:02:42 +02:00 · 2024-05-01 11:02:42 +02:00 · 4a1f06e020
commit 4a1f06e020
parent 827e859277
1 changed files with 11 additions and 57 deletions
--- a/router.nix
+++ b/router.nix
@ -101,8 +101,10 @@
    }
  ];
  "/ip dns" = {
-    "allow-remote-requests" = "yes";
-    servers = "1.1.1.1,1.0.0.1";
+    no_label = {
+      allow-remote-requests = "yes";
+      servers = "1.1.1.1,1.0.0.1";
+    };
  };
  "/ip dns static" = [
    {
@ -112,67 +114,19 @@
  ];
  "/ip firewall filter" = [
    {
-      action = "accept";
-      chain = "input";
-      comment = "defconf: accept established,related,untracked";
-      "connection-state" = "established,related,untracked";
-    }
-    {
-      action = "drop";
-      chain = "input";
-      comment = "defconf: drop invalid";
-      "connection-state" = "invalid";
+      address = "10.10.10.10-10.10.10.10.254";
+      list = "allowed_to_router";
+    }
+    {
+      action = "accept";
+      chain = "input";
+      src-address-list = "allowed_to_router";
    }
    {
      action = "accept";
      chain = "input";
-      comment = "defconf: accept ICMP";
      protocol = "icmp";
    }
-    {
-      action = "drop";
-      chain = "input";
-      comment = "defconf: drop all not coming from LAN";
-      "in-interface-list" = "!LAN";
-    }
-    {
-      action = "accept";
-      chain = "forward";
-      comment = "defconf: accept in ipsec policy";
-      "ipsec-policy" = "in,ipsec";
-    }
-    {
-      action = "accept";
-      chain = "forward";
-      comment = "defconf: accept out ipsec policy";
-      "ipsec-policy" = "out,ipsec";
-    }
-    {
-      action = "fasttrack-connection";
-      chain = "forward";
-      comment = "defconf: fasttrack";
-      "connection-state" = "established,related";
-    }
-    {
-      action = "accept";
-      chain = "forward";
-      comment = "defconf: accept established,related, untracked";
-      "connection-state" = "established,related,untracked";
-    }
-    {
-      action = "drop";
-      chain = "forward";
-      comment = "defconf: drop invalid";
-      "connection-state" = "invalid";
-    }
-    {
-      action = "drop";
-      chain = "forward";
-      comment = "defconf:  drop all from WAN not DSTNATed";
-      "connection-nat-state" = "!dstnat";
-      "connection-state" = "new";
-      "in-interface-list" = "WAN";
-    }
  ];
  "/ip firewall nat" = [
    {