@ -81,12 +81,12 @@ add action=drop chain=input comment="protect router's control plane"
{%- endfor %}{%- endfor %}
/ip firewall nat/ip firewall nat
add action=return chain=srcnat src-address-list=public-addresses
add action=return chain=srcnat dst-address-list=no-cgnat-to
add action=return chain=srcnat src-address-list=public-addresses comment="do not CGNAT"
add action=return chain=srcnat dst-address-list=no-cgnat-to comment="do not CGNAT"
{%- for nat_source_ip in nat_source_ips|sort %}{%- for nat_source_ip in nat_source_ips|sort %}
add action=src-nat chain=srcnat out-interface-list=uplink per-connection-classifier=src-address:{{ nat_source_ips|length }}/{{ loop.index0 }} src-address-list=customer-private to-addresses={{ nat_source_ip }} comment="CGNAT"
add action=src-nat chain=srcnat out-interface-list=uplink per-connection-classifier=src-address:{{ nat_source_ips|length }}/{{ loop.index0 }} src-address-list=customer-private to-addresses={{ nat_source_ip }} comment="perform CGNAT"
{%- endfor %}{%- endfor %}
add chain=dstnat comment="redirect NTP to local NTP server for provisioning" dst-port=123 protocol=udp src-address-list=provisioning to-addresses=127.0.0.1
add chain=dstnat comment="redirect NTP to local NTP server for provisioning" dst-port=123 protocol=udp src-address-list=provisioning to-addresses=127.0.0.1 comment="redirect NTP to localhost for TLS to work in provisioning"
/ipv6 firewall filter/ipv6 firewall filter
add action=accept chain=forward comment="forward existing connections" connection-state=established,relatedadd action=accept chain=forward comment="forward existing connections" connection-state=established,related
