@ -59,11 +59,24 @@ add action=accept chain=input comment="allow BGP on uplinks and linknets" dst-po
add action=accept chain=input comment="allow ICMP" protocol=icmpadd action=accept chain=input comment="allow ICMP" protocol=icmp
add action=accept chain=input comment="allow UDP traceroute" port=33434-33534 protocol=udpadd action=accept chain=input comment="allow UDP traceroute" port=33434-33534 protocol=udp
add action=drop chain=input comment="protect router's control plane"add action=drop chain=input comment="protect router's control plane"
{%- set nat_source_ips = [] %}
{%- for interface in device_interfaces %}
{%- if interface.name in ('loopback',) %}
{%- for address in interface|get_addresses %}
{%- if address|ipv4 %}
{%- do nat_source_ips.append(address.address.split("/")[0]) %}
{%- endif %}
{%- endfor %}
{%- endif %}
{%- endfor %}
/ip firewall nat/ip firewall nat
add action=return chain=srcnat src-address-list=public-addressesadd action=return chain=srcnat src-address-list=public-addresses
add action=return chain=srcnat dst-address-list=no-cgnat-toadd action=return chain=srcnat dst-address-list=no-cgnat-to
add action=same chain=srcnat out-interface-list=uplink same-not-by-dst=yes src-address-list=customer-private to-addresses=185.66.206.1-185.66.206.3
add action=masquerade chain=srcnat out-interface-list=uplink src-address-list=customer-private
{%- for nat_source_ip in nat_source_ips|sort %}
add action=src-nat chain=srcnat out-interface-list=uplink per-connection-classifier=src-address:{{ nat_source_ips|length }}/{{ loop.index0 }} src-address-list=customer-private to-addresses={{ nat_source_ip }} comment="CGNAT"
{%- endfor %}
add chain=dstnat comment="redirect NTP to local NTP server for provisioning" dst-port=123 protocol=udp src-address-list=provisioning to-addresses=127.0.0.1add chain=dstnat comment="redirect NTP to local NTP server for provisioning" dst-port=123 protocol=udp src-address-list=provisioning to-addresses=127.0.0.1
/ipv6 firewall filter/ipv6 firewall filter
