Firewall

1. admin@MikroTik] /ip firewall> nat print
2. Flags: X - disabled, I - invalid, D - dynamic
3.  0    chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.91.0/24 out-interface=ether1 log=no log-prefix=""
4.  
5.  1    chain=srcnat action=accept src-address=192.168.88.0/24 dst-address=192.168.91.0/24 out-interface=ether1 log=no log-prefix=""
6.  
7.  2    ;;; defconf: masquerade
8.       chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""
9.  
10.  
11. [admin@MikroTik] /ip firewall> filter print
12. Flags: X - disabled, I - invalid, D - dynamic
13.  0  D ;;; special dummy rule to show fasttrack counters
14.       chain=forward
15.  
16.  1    ;;; defconf: accept ICMP
17.       chain=input action=accept protocol=icmp log=no log-prefix=""
18.  
19.  2    ;;; defconf: accept established,related
20.       chain=input action=accept connection-state=established,related log=no log-prefix=""
21.  
22.  3 XI  chain=forward action=accept protocol=ipsec-esp src-address=192.168.88.0/24 dst-address=192.168.91.0/24 in-interface=bridge out-interface=ether1 log=no log-prefix=""
23.  
24.  4    ;;; Allow IKE
25.       chain=input action=accept protocol=udp dst-port=500 log=no log-prefix=""
26.  
27.  5    chain=input action=accept protocol=udp port=1701,500,4500 log=no log-prefix=""
28.  
29.  6    ;;; Allow IPSec-esp
30.       chain=input action=accept protocol=ipsec-esp log=no log-prefix=""
31.  
32.  7    ;;; Allow IPsec-ah
33.       chain=input action=accept protocol=ipsec-ah log=no log-prefix=""
34.  
35.  8    ;;; defconf: drop all from WAN
36.       chain=input action=drop in-interface=ether1 log=no log-prefix=""
37.  
38.  9    ;;; defconf: fasttrack
39.       chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
40.  
41. 10    ;;; defconf: accept established,related
42.       chain=forward action=accept connection-state=established,related log=no log-prefix=""
43.  
44. 11    ;;; defconf: drop invalid
45.       chain=forward action=drop connection-state=invalid log=no log-prefix=""
46.  
47. 12    ;;; defconf:  drop all from WAN not DSTNATed
48.       chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 log=no log-prefix=""