diff --git a/router.nix b/router.nix index c676be2..d05493d 100644 --- a/router.nix +++ b/router.nix @@ -101,8 +101,10 @@ } ]; "/ip dns" = { - "allow-remote-requests" = "yes"; - servers = "1.1.1.1,1.0.0.1"; + no_label = { + allow-remote-requests = "yes"; + servers = "1.1.1.1,1.0.0.1"; + }; }; "/ip dns static" = [ { @@ -112,67 +114,19 @@ ]; "/ip firewall filter" = [ { - action = "accept"; - chain = "input"; - comment = "defconf: accept established,related,untracked"; - "connection-state" = "established,related,untracked"; - } - { - action = "drop"; - chain = "input"; - comment = "defconf: drop invalid"; - "connection-state" = "invalid"; + address = "10.10.10.10-10.10.10.10.254"; + list = "allowed_to_router"; + } + { + action = "accept"; + chain = "input"; + src-address-list = "allowed_to_router"; } { action = "accept"; chain = "input"; - comment = "defconf: accept ICMP"; protocol = "icmp"; } - { - action = "drop"; - chain = "input"; - comment = "defconf: drop all not coming from LAN"; - "in-interface-list" = "!LAN"; - } - { - action = "accept"; - chain = "forward"; - comment = "defconf: accept in ipsec policy"; - "ipsec-policy" = "in,ipsec"; - } - { - action = "accept"; - chain = "forward"; - comment = "defconf: accept out ipsec policy"; - "ipsec-policy" = "out,ipsec"; - } - { - action = "fasttrack-connection"; - chain = "forward"; - comment = "defconf: fasttrack"; - "connection-state" = "established,related"; - } - { - action = "accept"; - chain = "forward"; - comment = "defconf: accept established,related, untracked"; - "connection-state" = "established,related,untracked"; - } - { - action = "drop"; - chain = "forward"; - comment = "defconf: drop invalid"; - "connection-state" = "invalid"; - } - { - action = "drop"; - chain = "forward"; - comment = "defconf: drop all from WAN not DSTNATed"; - "connection-nat-state" = "!dstnat"; - "connection-state" = "new"; - "in-interface-list" = "WAN"; - } ]; "/ip firewall nat" = [ {