Firewall

1. /interface list add name=WAN
2. /interface list member add list=WAN interface=ether1
3.  
4. /ip firewall address-list
5. add address=ТУТ АДРЕСА list=remote
6.  
7. /ip firewall filter
8. add action=accept chain=input comment="allow Winbox" \
9.     in-interface-list=WAN src-address-list=remote place-before=4
10.  
11.  
12. /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
13. /ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
14. /ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
15. /ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
16. /ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=WAN
17. /ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
18. /ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
19. /ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
20. /ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
21. /ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
22. /ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
23.